detection of software vulnerabilities static analysis
play

Detection of Software Vulnerabilities: Static Analysis (Part II) - PowerPoint PPT Presentation

Feb 19, 2023 •533 likes •2.24k views

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis (Part II) Lucas Cordeiro (Formal

  1. Transforming loop-free programs into equations But what about control flow branches (if-statements)? if(v) if(v 0 ) x = y; x 0 = y 0 ; else else x = z; x 1 = z 0 ; x 2 = v 0 ? x 0 : x 1 ; w = x; w 1 = x 2 ; introduce & use new variable • for each control flow join point, add a new variable with guarded assignment as definition § also called ϕ -function

  2. Bit-blasting Conversion of equations into SAT problem: • simple assignments: effective |[ x = y ]| ≙ ⋀ i x i ⇔ y i bitwidth ⇒ static analysis must approximate effective bitwidth well • ϕ -functions: |[ x = v ? y : z ]| ≙ (v ⇒ |[ x = y ]|) ⋀ (¬ v ⇒ |[ x = z ]|) • Boolean operations: |[ x = y | z ]| ≙ ⋀ i x i ⇔ (y i ⋁ z i ) Exercise: relational operations

  3. Bit-blasting arithmetic operations Build circuits that implement the operations! 1-bit addition: Full adder as CNF:

  4. Bit-blasting arithmetic operations Build circuits that implement the operations! ⇒ adds w variables, 6*w clauses ⇒ multiplication / division much more complicated

  5. Handling arrays Arrays can be replaced by individual variables, with a “demux” at each access: int a 0 , a 1 , a 2 , ... a 9 ; int a[10]; ... ... x = (i==0 ? a 0 x = a[i]; : (i==1 ? a 1 : (i==2 ? a 2 : ...); ⇒ surprisingly effective (for N<1000) because value of i can often be determined statically – due to constant propagation

  6. Handling arrays with theories Arrays can be seen as ADT with two operations: • read: Array x Index → Element “select” • write: Array x Index x Element → Array “update” ... ... a[i]=a[i]+1; a 1 =write(a 0 ,i,read(a 0 ,i)+1); ... ...

  7. Handling arrays with theories Arrays can be seen as ADT with two operations: • read: Array x Index → Element “select” • write: Array x Index x Element → Array “update” ... ... a[i]=a[i]+1; a 1 =write(a 0 ,i,read(a 0 ,i)+1); ... ... Axioms describe intended semantics: ⇒ requires support by SMT-solver

  8. Handling arrays with λ -terms How to handle memset and memcpy ? void *memset(void *dst, int c, size_t n); void *memcpy(void *dst, const void *src, size_t n);

  9. Handling arrays with λ -terms How to handle memset and memcpy ? void *memset(void *dst, int c, size_t n); void *memcpy(void *dst, const void *src, size_t n); ... ... memcpy(a,b,4); a 1 =write(a 0 ,0,read(b,0)); ... a 2 =write(a 1 ,1,read(b,1)); a 3 =write(a 2 ,2,read(b,2)); a 4 =write(a 3 ,3,read(b,3)); ...

  10. Handling arrays with λ -terms How to handle memset and memcpy ? void *memset(void *dst, int c, size_t n); void *memcpy(void *dst, const void *src, size_t n); ... ... memcpy(a,b,4); a 1 =write(a 0 ,0,read(b,0)); ... a 2 =write(a 1 ,1,read(b,1)); a 3 =write(a 2 ,2,read(b,2)); a 4 =write(a 3 ,3,read(b,3)); ... • not scalable for large constants • need to encode as loop for non-constant block sizes § same problems for normal array-copy operations

  11. Handling arrays with λ -terms How to handle memset and memcpy ? void *memset(void *dst, int c, size_t n); void *memcpy(void *dst, const void *src, size_t n); Abuse of notation ... ... memcpy(a,b,4); a 1 = λ i•(0<=i && i<4) ? ... read(b,i) : read(a 0 ,i)); ... • similar for memset and array-copy loops • additional axiom describes intended semantics ⇒ requires integration into SMT-solver

  12. Lambdas, Arrays and Quantifiers Mathias Preiner, Aina Niemetz, Armin Biere: Better Lemmas with Lambda Extraction. FMCAD 2015: 128-135

  13. Handling arrays with λ -terms Stephan Falke, Florian Merz, Carsten Sinz: Extending the Theory of Arrays: memset, memcpy, and Beyond. VSTTE 2013: 108-128

  14. SAT vs. SMT BMC tools use both propositional satisfiability (SAT) and satisfiability modulo theories (SMT) solvers:

  15. SAT vs. SMT BMC tools use both propositional satisfiability (SAT) and satisfiability modulo theories (SMT) solvers: • SAT solvers require encoding everything in CNF § limited support for high-level operations § easier to reflect machine-level semantics § can be extremely efficient (SMT falls back to SAT)

  16. SAT vs. SMT BMC tools use both propositional satisfiability (SAT) and satisfiability modulo theories (SMT) solvers: • SAT solvers require encoding everything in CNF § limited support for high-level operations § easier to reflect machine-level semantics § can be extremely efficient (SMT falls back to SAT) • SMT solvers support built-in theories § equality, free function symbols, arithmetics, arrays,... § sometimes even quantifiers § very flexible, extensible, front-end easier § requires extra effort to enforce precise semantics § can be slower

  17. Modeling with non-determinism Extend C with three modeling features: • assert(e) : aborts execution when e is false, no-op otherwise void assert (_Bool b) { if (!b) exit(); }

  18. Modeling with non-determinism Extend C with three modeling features: • assert(e) : aborts execution when e is false, no-op otherwise void assert (_Bool b) { if (!b) exit(); } • nondet_int() : returns non-deterministic int-value int nondet_int () { int x; return x; }

  19. Modeling with non-determinism Extend C with three modeling features: • assert(e) : aborts execution when e is false, no-op otherwise void assert (_Bool b) { if (!b) exit(); } • nondet_int() : returns non-deterministic int-value int nondet_int () { int x; return x; } • assume(e) : “ignores” execution when e is false, no-op otherwise void assume (_Bool e) { while (!e) ; }

  20. Modeling with non-determinism General approach: • use C program to set up structure and deterministic computations • use non-determinism to set up search space • use assumptions to constrain search space • use failing assertion to start search int main() { int x=nondet_int(),y=nondet_int(),z=nondet_int(); __ESBMC_assume(x > 0 && y > 0 && z > 0); __ESBMC_assume(x < 16384 && y < 16384 && z < 16384); assert(x*x + y*y != z*z); return 0; }

  21. Intended learning outcomes • Introduce typical BMC architectures for verifying software systems • Understand communication models and typical errors when writing concurrent programs • Explain explicit schedule exploration of multi- threaded software • Explain sequentialization methods to convert concurrent programs into sequential ones

  22. Concurrency verification Writing concurrent programs is DIFFICULT • programmers have to guarantee communication mechanism § correctness of sequential execution of each individual process … P 1 P 2 P N § with nondeterministic interferences from other processes (schedules) processes

  23. Concurrency verification Writing concurrent programs is DIFFICULT • programmers have to guarantee communication mechanism § correctness of sequential execution of each individual process … P 2 P 2 P N § with nondeterministic interferences from other processes (schedules) processes • rare schedules result in errors that are difficult to find, reproduce, and repair § testers can spend weeks chasing a single bug ⇒ huge productivity problem

  24. Concurrency verification What happens here...??? int n=0; //shared variable void* P(void* arg) { int tmp, i=1; while (i<=10) { tmp = n; n = tmp + 1; i++; } return NULL; } int main (void) { pthread_t id1, id2; pthread_create(&id1, NULL, P, NULL); Which values can n pthread_create(&id2, NULL, P, NULL); pthread_join(id1, NULL); actually have? pthread_join(id2, NULL); assert(n == 20); }

  25. Concurrency verification What happens here...??? $gcc example-2.c -o example-2 int n=0; //shared variable $./example-2 $./example-2 void* P(void* arg) { $./example-2 int tmp, i=1; while (i<=10) { $./example-2 tmp = n; $./example-2 n = tmp + 1; $./example-2 i++; Assertion failed: (n } return NULL; == 20), function main, } file example-2.c, line 22. int main (void) { pthread_t id1, id2; pthread_create(&id1, NULL, P, NULL); Which values can n pthread_create(&id2, NULL, P, NULL); pthread_join(id1, NULL); actually have? pthread_join(id2, NULL); assert(n == 20); }

  26. Concurrency verification What happens here...??? int n=0; //shared variable void* P(void* arg) { int tmp, i=1; while (i<=10) { tmp = n; n = tmp + 1; i++; } return NULL; } int main (void) { pthread_t id1, id2; pthread_create(&id1, NULL, P, NULL); pthread_create(&id2, NULL, P, NULL); pthread_join(id1, NULL); pthread_join(id2, NULL); assert(n >= 10 && n <= 20); }

  27. Concurrency verification What happens here...??? int n=0; //shared variable pthread_mutex_t mutex; void* P(void* arg) { int tmp, i=1; while (i<=10) { pthread_mutex_lock(&mutex); tmp = n; n = tmp + 1; pthread_mutex_unlock(&mutex); i++; } return NULL; } int main (void) { pthread_t id1, id2; pthread_mutex_init(&mutex, NULL); pthread_create(&id1, NULL, P, NULL); pthread_create(&id2, NULL, P, NULL); pthread_join(id1, NULL); pthread_join(id2, NULL); assert(n == 20); }

  28. Concurrency errors There are two main kinds of concurrency errors: • progress errors: deadlock, starvation, ... § typically caused by wrong synchronization § requires modeling of synchronization primitives o mutex locking / unlocking § requires modeling of (global) error condition

  29. Concurrency errors There are two main kinds of concurrency errors: • progress errors: deadlock, starvation, ... § typically caused by wrong synchronization § requires modeling of synchronization primitives o mutex locking / unlocking § requires modeling of (global) error condition • safety errors: assertion violation, ... § typically caused by data races (i.e., unsynchronized access to shared data) § requires modeling of synchronization primitives § can be checked locally

  30. Concurrency errors There are two main kinds of concurrency errors: • progress errors: deadlock, starvation, ... § typically caused by wrong synchronization § requires modeling of synchronization primitives o mutex locking / unlocking § requires modeling of (global) error condition • safety errors: assertion violation, ... § typically caused by data races (i.e., unsynchronized access to shared data) § requires modeling of synchronization primitives § can be checked locally ⇒ focus here on safety errors

  31. Shared memory concurrent programs Concurrent programming styles: • communication via message passing § “truly” parallel distributed systems § multiple computations advancing simultaneously

  32. Shared memory concurrent programs Concurrent programming styles: • communication via message passing § “truly” parallel distributed systems § multiple computations advancing simultaneously • communication via shared memory § multi-threaded programs § only one thread active at any given time (conceptually) , but active thread can be changed at any given time o active == uncontested access to shared memory o can be single-core or multi-core

  33. Shared memory concurrent programs Concurrent programming styles: • communication via message passing § “truly” parallel distributed systems § multiple computations advancing simultaneously • communication via shared memory § multi-threaded programs § only one thread active at any given time (conceptually) , but active thread can be changed at any given time o active == uncontested access to shared memory o can be single-core or multi-core ⇒ focus here on multi-threaded, shared memory programs

  34. Multi-threaded programs • typical C-implementation: pthreads

  35. Multi-threaded programs • typical C-implementation: pthreads • formed of individual sequential programs (threads) § can be created and destroyed on the fly § typically for BMC: assume upper bound § each possibly with loops and recursive function calls § each with local variables

  36. Multi-threaded programs • typical C-implementation: pthreads • formed of individual sequential programs (threads) § can be created and destroyed on the fly § typically for BMC: assume upper bound § each possibly with loops and recursive function calls § each with local variables • each thread can read and write shared variables § assume sequential consistency: writes are immediately visible to all the other programs § weak memory models can be modeled

  37. Multi-threaded programs • typical C-implementation: pthreads • formed of individual sequential programs (threads) § can be created and destroyed on the fly § typically for BMC: assume upper bound § each possibly with loops and recursive function calls § each with local variables • each thread can read and write shared variables § assume sequential consistency: writes are immediately visible to all the other programs § weak memory models can be modeled • execution is interleaving of thread executions § only valid for sequential consistency

  38. Round-robin scheduling • context: segment of a run t 3 t 1 t 2 of an active thread t i (l 0 ,s 0 ) (l 2 ,s 1 ) (l 4 ,s 2 ) (l 3 ,s 2 ) (l 5 ,s 3 ) (l 1 ,s 1 ) (l 1 ,s 3 ) (l 3 ,s 4 ) (l 5 ,s 5 )

  39. Round-robin scheduling • context: segment of a run t 3 t 1 t 2 of an active thread t i (l 0 ,s 0 ) (l 2 ,s 1 ) (l 4 ,s 2 ) • context switch: change of active thread from t i to t k (l 3 ,s 2 ) (l 5 ,s 3 ) (l 1 ,s 1 ) § global state is passed on to t k § context switch back to t i resumes (l 1 ,s 3 ) (l 3 ,s 4 ) (l 5 ,s 5 ) at old local state (incl. pc)

  40. Round-robin scheduling • context: segment of a run t 3 t 1 t 2 of an active thread t i (l 0 ,s 0 ) (l 2 ,s 1 ) (l 4 ,s 2 ) • context switch: change of active thread from t i to t k (l 3 ,s 2 ) (l 5 ,s 3 ) (l 1 ,s 1 ) § global state is passed on to t k § context switch back to t i resumes (l 1 ,s 3 ) (l 3 ,s 4 ) (l 5 ,s 5 ) at old local state (incl. pc) • round: formed of one context of each thread

  41. Round-robin scheduling • context: segment of a run t 3 t 1 t 2 of an active thread t i (l 0 ,s 0 ) (l 2 ,s 1 ) (l 4 ,s 2 ) • context switch: change of active thread from t i to t k (l 3 ,s 2 ) (l 5 ,s 3 ) (l 1 ,s 1 ) § global state is passed on to t k § context switch back to t i resumes (l 1 ,s 3 ) (l 3 ,s 4 ) (l 5 ,s 5 ) at old local state (incl. pc) • round: formed of one context of each thread • round robin schedule: same order of threads in each round

  42. Round-robin scheduling • context: segment of a run t 3 t 1 t 2 of an active thread t i (l 0 ,s 0 ) (l 2 ,s 1 ) (l 4 ,s 2 ) • context switch: change of active thread from t i to t k (l 3 ,s 2 ) (l 5 ,s 3 ) (l 1 ,s 1 ) § global state is passed on to t k § context switch back to t i resumes (l 1 ,s 3 ) (l 3 ,s 4 ) (l 5 ,s 5 ) at old local state (incl. pc) • round: formed of one context of each thread • round robin schedule: same order of threads in each round • can simulate all schedules by round robin schedules

  43. Context-bounded analysis Important observation: Most concurrency errors are shallow! i.e., require only few context switches ⇒ limit the search space by bounding the number of • context switches • rounds

  44. Concurrency verification approaches • Explicit schedule exploration (ESBMC) § lazy exploration § schedule recording

  45. Concurrency verification approaches • Explicit schedule exploration (ESBMC) § lazy exploration § schedule recording • Partial order methods (CBMC)

  46. Concurrency verification approaches • Explicit schedule exploration (ESBMC) § lazy exploration § schedule recording • Partial order methods (CBMC) • Sequentialization § KISS § Lal / Reps (eager sequentialization) § Lazy CSeq § memory unwinding

  47. Intended learning outcomes • Introduce typical BMC architectures for verifying software systems • Understand communication models and typical errors when writing concurrent programs • Explain explicit schedule exploration of multi- threaded software • Explain sequentialization methods to convert concurrent programs into sequential ones

  48. BMC of Multi-threaded Software Idea: iteratively generate all possible interleavings and call the BMC procedure on each interleaving multi-threaded guide the symbolic QF formula goto symbolic execution generation programs execution engine C/C++ IRep source tree SMT verification BMC scheduler conditions solver scan, parse, and properties check satisfiability type-check using an SMT solver deadlock, atomicity and order violations, etc … stop the generate-and- test loop if there is an error

  49. Running Example • the program has sequences of operations that need to be protected together to avoid atomicity violation – requirement: the region of code (val1 and val2) should execute atomically Thread twoStage Thread reader 1: lock(m1); A state s ∈ S consists of 7: lock(m1); 2: val1 = 1; 8: if (val1 == 0) { the value of the program 3: unlock(m1); 9: unlock(m1); counter pc and the values 4: lock(m2); 10: return NULL; } of all program variables 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 0 15: unlock(m2); mutexes: m1=0; m2=0; 16: assert(t2==(t1+1)); global variables: val1=0; val2=0; local variabes: t1= -1; t2= -1;

  50. Lazy exploration: interleaving I s statements: val1-access: val2-access: Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 0 15: unlock(m2); mutexes: m1=0; m2=0; 16: assert(t2==(t1+1)); global variables: val1=0; val2=0; local variabes: t1= -1; t2= -1;

  51. Lazy exploration: interleaving I s statements: 1 val1-access: val2-access: Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 1 15: unlock(m2); mutexes: m1=1 ; m2=0; 16: assert(t2==(t1+1)); global variables: val1=0; val2=0; local variabes: t1= -1; t2= -1;

  52. Lazy exploration: interleaving I s write access to the shared statements: 1-2 variable val1 in statement 2 of the thread twoStage val1-access: W twoStage,2 val2-access: Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 2 15: unlock(m2); mutexes: m1=1; m2=0; 16: assert(t2==(t1+1)); global variables: val1=1 ; val2=0; local variabes: t1= -1; t2= -1;

  53. Lazy exploration: interleaving I s statements: 1-2-3 val1-access: W twoStage,2 val2-access: Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 3 15: unlock(m2); mutexes: m1=0 ; m2=0; 16: assert(t2==(t1+1)); global variables: val1=1; val2=0; local variabes: t1= -1; t2= -1;

  54. Lazy exploration: interleaving I s statements: 1-2-3-7 val1-access: W twoStage,2 val2-access: Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 7 15: unlock(m2); mutexes: m1=1 ; m2=0; 16: assert(t2==(t1+1)); global variables: val1=1; val2=0; local variabes: t1= -1; t2= -1;

  55. Lazy exploration: interleaving I s read access to the shared variable val1 in statement 8 statements: 1-2-3-7-8 of the thread reader val1-access: W twoStage,2 - R reader,8 val2-access: Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 8 15: unlock(m2); mutexes: m1=1; m2=0; 16: assert(t2==(t1+1)); global variables: val1=1; val2=0; local variabes: t1= -1; t2= -1;

  56. Lazy exploration: interleaving I s statements: 1-2-3-7-8-11 val1-access: W twoStage,2 - R reader,8 - R reader,11 val2-access: Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 11 15: unlock(m2); mutexes: m1=1; m2=0; 16: assert(t2==(t1+1)); global variables: val1=1; val2=0; local variabes: t1= 1 ; t2= -1;

  57. Lazy exploration: interleaving I s statements: 1-2-3-7-8-11-12 val1-access: W twoStage,2 - R reader,8 - R reader,11 val2-access: Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 12 15: unlock(m2); mutexes: m1=0 ; m2=0; 16: assert(t2==(t1+1)); global variables: val1=1; val2=0; local variabes: t1= 1; t2= -1;

  58. Lazy exploration: interleaving I s statements: 1-2-3-7-8-11-12 val1-access: W twoStage,2 - R reader,8 - R reader,11 val2-access: Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } CS2 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 4 15: unlock(m2); mutexes: m1=0; m2=0; 16: assert(t2==(t1+1)); global variables: val1=1; val2=0; local variabes: t1= 1; t2= -1;

  59. Lazy exploration: interleaving I s statements: 1-2-3-7-8-11-12-4 val1-access: W twoStage,2 - R reader,8 - R reader,11 val2-access: Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } CS2 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 4 15: unlock(m2); mutexes: m1=0; m2=1 ; 16: assert(t2==(t1+1)); global variables: val1=1; val2=0; local variabes: t1= 1; t2= -1;

  60. Lazy exploration: interleaving I s statements: 1-2-3-7-8-11-12-4-5 val1-access: W twoStage,2 - R reader,8 - R reader,11 - R twoStage,5 val2-access: W twoStage,5 Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } CS2 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 5 15: unlock(m2); mutexes: m1=0; m2=1; 16: assert(t2==(t1+1)); global variables: val1=1; val2=2 ; local variabes: t1= 1; t2= -1;

  61. Lazy exploration: interleaving I s statements: 1-2-3-7-8-11-12-4-5-6 val1-access: W twoStage,2 - R reader,8 - R reader,11 - R twoStage,5 val2-access: W twoStage,5 Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } CS2 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 6 15: unlock(m2); mutexes: m1=0; m2=0 ; 16: assert(t2==(t1+1)); global variables: val1=1; val2=2; local variabes: t1= 1; t2= -1;

  62. Lazy exploration: interleaving I s statements: 1-2-3-7-8-11-12-4-5-6 val1-access: W twoStage,2 - R reader,8 - R reader,11 - R twoStage,5 val2-access: W twoStage,5 Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } CS2 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); CS3 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 13 15: unlock(m2); mutexes: m1=0; m2=0; 16: assert(t2==(t1+1)); global variables: val1=1; val2=2; local variabes: t1= 1; t2= -1;

  63. Lazy exploration: interleaving I s statements: 1-2-3-7-8-11-12-4-5-6-13 val1-access: W twoStage,2 - R reader,8 - R reader,11 - R twoStage,5 val2-access: W twoStage,5 Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } CS2 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); CS3 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 13 15: unlock(m2); mutexes: m1=0; m2=1 ; 16: assert(t2==(t1+1)); global variables: val1=1; val2=2; local variabes: t1= 1; t2= -1;

  64. Lazy exploration: interleaving I s statements: 1-2-3-7-8-11-12-4-5-6-13-14 val1-access: W twoStage,2 - R reader,8 - R reader,11 - R twoStage,5 val2-access: W twoStage,5 - R reader,14 Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } CS2 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); CS3 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 14 15: unlock(m2); mutexes: m1=0; m2=1; 16: assert(t2==(t1+1)); global variables: val1=1; val2=2; local variabes: t1= 1; t2= 2 ;

  65. Lazy exploration: interleaving I s statements: 1-2-3-7-8-11-12-4-5-6-13-14-15 val1-access: W twoStage,2 - R reader,8 - R reader,11 - R twoStage,5 val2-access: W twoStage,5 - R reader,14 Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } CS2 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); CS3 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 15 15: unlock(m2); mutexes: m1=0; m2=0 ; 16: assert(t2==(t1+1)); global variables: val1=1; val2=2; local variabes: t1= 1; t2= 2;

  66. Lazy exploration: interleaving I s statements: 1-2-3-7-8-11-12-4-5-6-13-14-15-16 val1-access: W twoStage,2 - R reader,8 - R reader,11 - R twoStage,5 val2-access: W twoStage,5 - R reader,14 Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } CS2 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); CS3 12: unlock(m1); 13: lock(m2); 14: t2 = val2; program counter: 16 15: unlock(m2); mutexes: m1=0; m2=0; 16: assert(t2==(t1+1)); global variables: val1=1; val2=2; local variabes: t1= 1; t2= 2;

  67. Lazy exploration: interleaving I s statements: 1-2-3-7-8-11-12-4-5-6-13-14-15-16 val1-access: W twoStage,2 - R reader,8 - R reader,11 - R twoStage,5 val2-access: W twoStage,5 - R reader,14 Thread twoStage Thread reader 1: lock(m1); 7: lock(m1); CS1 2: val1 = 1; 8: if (val1 == 0) { 3: unlock(m1); 9: unlock(m1); 4: lock(m2); 10: return NULL; } CS2 5: val2 = val1 + 1; 11: t1 = val1; 6: unlock(m2); CS3 12: unlock(m1); 13: lock(m2); 14: t2 = val2; 15: unlock(m2); QF formula is unsatisfiable, 16: assert(t2==(t1+1)); i.e., assertion holds

Recommend

Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis Lucas Cordeiro (Formal Methods

1.9k views • 188 slides
Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL Injection Vulnerabilities in Web Services Nuno Antunes, Marco Vieira PRDC 2009 nmsa@dei.uc.pt, mvieira@dei.uc.pt University of Coimbra

370 views • 24 slides
Detection of Software Vulnerabilities: Dynamic Analysis Lucas Cordeiro Department of Computer

Detection of Software Vulnerabilities: Dynamic Analysis Lucas Cordeiro Department of Computer

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Dynamic Analysis Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Dynamic Analysis Lucas Cordeiro (Formal Methods Group)

2.04k views • 187 slides
Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten Holz Ruhr-University Bochum USENIX Security 14, 20-22 August 2014, San Diego, CA, USA 1. Introduction 2. Implementation 3. Evaluation 4.

579 views • 40 slides
Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities Using static analysis and integer range analysis to find buffer overflows

1.33k views • 56 slides
Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani, Rigel Gjomemo , V.N. Venkatakrishnan, Stefano Zanero Android Message Passing Mechanism Android apps are composed of

566 views • 23 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code Analysis Automatisierte

1.48k views • 89 slides
Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani Rigel Gjomemo, V.N. Venkatakrishnan Stefano Zanero University of Illinois at Chicago University of Illinois at Chicago

419 views • 11 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Motivation Analysis Evaluation Summary Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C. Kruegel Secure Systems Lab Vienna University of Technology SIG SIDAR Conference on Detection of

929 views • 78 slides
Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for

Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for

Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security Justin Smith (Lafayette College) smithjus@lafayette.edu Lisa Nguyen Quang Do (Google) lisanqd@google.com Emerson Murphy-Hill (Google)

605 views • 15 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Software Reliability Estimation Based on Static Error Detection M. Moiseev, M. Glukhikh , A.

Software Reliability Estimation Based on Static Error Detection M. Moiseev, M. Glukhikh , A.

7 th Central and Eastern European Software Engineering Conference in Russia - CEE-SECR 2011 October 31 November 3, Moscow Software Reliability Estimation Based on Static Error Detection M. Moiseev, M. Glukhikh , A. Karpenko, H. Richter

884 views • 32 slides
System Call Vulnerabilities in Linux Storage Stack Nima Mohammadi Sepand Haghighi Fall - 2016

System Call Vulnerabilities in Linux Storage Stack Nima Mohammadi Sepand Haghighi Fall - 2016

System Call Vulnerabilities in Linux Storage Stack Nima Mohammadi Sepand Haghighi Fall - 2016 Outline Introduction Static Code Analysis Static Analyzer List Kernels Static Analysis Report Conclusion 2 System

809 views • 22 slides
Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner Hhnle Software Engineering Group Department of Computer Science Technische Universitt Darmstadt http://www.se.tu-darmstadt.de/

239 views • 23 slides
Numerical Static Analysis of Embedded Software with Interrupts Liqian Chen National University of

Numerical Static Analysis of Embedded Software with Interrupts Liqian Chen National University of

The 2016 Workshop on Static Analysis of Concurrent Software, Edinburgh, Scotland Numerical Static Analysis of Embedded Software with Interrupts Liqian Chen National University of Defense Technology, Changsha, China 11/09/2016 (Joint work with

604 views • 39 slides
Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned

Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program Analysis Extracting information, in order to present abstractions of, or answer questions about, a software system Static Analysis: Examines the

754 views • 32 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 149 Outline Introduction 1 Formal

861 views • 68 slides

More recommend