ens
play

ENS Pierre-Gilles de Gennes, Gabriel Lipp- mann, Louis Nel, - PowerPoint PPT Presentation

Dec 13, 2023 •206 likes •364 views

cole Normale Suprieure (ENS) Challenges in Abstract Interpretation for Software Safety Patrick Cousot cole normale suprieure, Paris, France cousot ens fr www.di.ens.fr/~cousot Franco-Japanese Workshop on Security Keio University,

  1. École Normale Supérieure (ENS) Challenges in Abstract Interpretation for Software Safety Patrick Cousot École normale supérieure, Paris, France cousot ens fr www.di.ens.fr/~cousot Franco-Japanese Workshop on Security Keio University, Mita Campus, September 5–7, 2005 — 1 — — 3 — Normale Sup. (ENS) A few former students: Évariste Galois, Louis Pasteur, . . . ; No- bel prizes: Claude Cohen-Tannoudji, ENS Pierre-Gilles de Gennes, Gabriel Lipp- mann, Louis Néel, Jean-Baptiste Per- rin, Paul Sabatier, . . . ; Fields Medal holders: Laurent Schwartz, Jean- Pierre Serre (1 st Abel Prize), René Thom, Alain Connes, Pierre-Louis Lions, Jean-Christophe Yoccoz, Laurent Lafforgue; Fictious mathematicians: Nico- las Bourbaki; Philosophers: Henri Bergson (Nobel Prize), Louis Althusser, Si- mone de Beauvoir, Emile Auguste Chartier “Alain”, Raymond Aron, Jean-Paul Sartre, Maurice Merleau-Ponty, Michel Foucault, Jacques Derrida, Bernard- Henri Lévy. . . ; Politicians: Jean Jaurès, Léon Blum, Édouard Herriot, Georges Pompidou, Alain Juppé, Laurent Fabius, Léopold Sédar Senghor,. . . ; Sociolo- gists: Émile Durkheim, Pierre Bourdieu, . . . ; Writers: Romain Rolland (Nobel Prize), Jean Giraudoux, Charles Péguy, Julien Gracq, . . . ; Franco-Japanese Workshop on Security — 2 — ľ P. Cousot September 5–7, 2005 — 4 — ľ P. Cousot

  2. The software safety challenge for next 10 years - Present-day software engineering is almost exclusively - - manual, with very few automated tools; State of Practice - Trust and confidence in specifications and software can - - in Software Engineering no longer be entirely based on the development process (e.g. DO178B in aerospace software); - In complement, quality assurance must be ensured by - - new design, modeling, checking, verification and certi- fication tools based on the product itself. — 7 — — 5 — An example among many others (Matlab code) » h=get(gca,’children’); Abstract Interpretation apple.awt.EventQueueExceptionHandler Caught Throwable : java.lang.ArrayIndexOutOfBoundsException: 2 >= 2 java.lang.ArrayIndexOutOfBoundsException: 2 >= 2 at java.util.Vector.elementAt(Vector.java:431) at com.mathworks.mde.help.IndexItem.getFilename(IndexItem.java:100) at com.mathworks.mde.help.Index.getFilenameForLocation(Index.java:706) at com.mathworks.mde.help.Index.access$3100(Index.java:29) at com.mathworks.mde.help.Index$IndexMouseMotionAdapter.mouseMoved(Index.java:768) at java.awt.AWTEventMulticaster.mouseMoved(AWTEventMulticaster.java:272) at java.awt.AWTEventMulticaster.mouseMoved(AWTEventMulticaster.java:271) at java.awt.Component.processMouseMotionEvent(Component.java:5211) at javax.swing.JComponent.processMouseMotionEvent(JComponent.java:2779) at com.mathworks.mwswing.MJTable.processMouseMotionEvent(MJTable.java:725) at java.awt.Component.processEvent(Component.java:4967) at java.awt.Container.processEvent(Container.java:1613) at java.awt.Component.dispatchEventImpl(Component.java:3681) at java.awt.Container.dispatchEventImpl(Container.java:1671) at java.awt.Component.dispatchEvent(Component.java:3543) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:3527) Reference at java.awt.LightweightDispatcher.processMouseEvent(Container.java:3255) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:3172) [POPL ’77] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of at java.awt.Container.dispatchEventImpl(Container.java:1657) programs by construction or approximation of fixpoints. In 4 th ACM POPL . at java.awt.Window.dispatchEventImpl(Window.java:1606) at java.awt.Component.dispatchEvent(Component.java:3543) [Thesis ’78] P. Cousot. Méthodes itératives de construction et d’approximation de points fixes d’opérateurs at java.awt.EventQueue.dispatchEvent(EventQueue.java:456) at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:234) monotones sur un treillis, analyse sémantique de programmes. Thèse ès sci. math. Grenoble, march 1978. at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:184) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:178) P. Cousot & R. Cousot. Systematic design of program analysis frameworks. In 6 th ACM POPL . [POPL ’79] at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:170) at java.awt.EventDispatchThread.run(EventDispatchThread.java:100) » Franco-Japanese Workshop on Security — 6 — ľ P. Cousot September 5–7, 2005 — 8 — ľ P. Cousot

  3. Syntax of programs States X variables X 2 X Values of given type: T types T 2 T V � T � : values of type T 2 T E arithmetic expressions E 2 E def = f z 2 Z j min _ int » z » max _ int g V � int � B boolean expressions B 2 B D ::= T X ; Program states ˚ � P � 1 : T X ; D 0 j C ::= X = E ; commands C 2 C def ˚ � D C � = ˚ � D � while B C 0 j def if B C 0 else C 00 ˚ � T X ; � = f X g 7! V � T � j def { C 1 . . . C n } , ( n – 0) j ˚ � T X ; D � = ( f X g 7! V � T � ) [ ˚ � D � P ::= D C program P 2 P — 9 — — 11 — Postcondition semantics Concrete Semantic Domain of Programs x ( t ) Concrete semantic domain for reachability properties: def sets of states D � P � = } ( ˚ � P � ) R i.e. program properties where „ is implication, ; is false, ��������� ������������ [ is disjunction. S � P � R 1 States  2 ˚ � P � of a program P map program variables X to their values  ( X ) Franco-Japanese Workshop on Security — 10 — ľ P. Cousot September 5–7, 2005 — 12 — ľ P. Cousot t

  4. Concrete Reachability Semantics of Programs Reduced Product of Abstract Domains def To combine abstractions = f  [ X E � E �  ] j  2 R \ dom ( E ) g S � X = E ; � R ‚ 1 ‚ 2 hD ] hD ] def def ` ` ` ` ` ` 1 ; v 1 i and hD ; „i ` hD ; „i ` 2 ; v 2 i  [ X v ]( X ) = v;  [ X v ]( Y ) =  ( Y ) ` ` ! ` ` ! ¸ 1 ¸ 2 def S � if B C 0 � R = S � C 0 � ( B � B � R ) [ B � : B � R the reduced product is def def = f  2 R \ dom ( B ) j B holds in  g B � B � R ¸ ( X ) = ufh x; y i j X „ ‚ 1 ( X ) ^ X „ ‚ 2 ( X ) g def S � if B C 0 else C 00 � R = S � C 0 � ( B � B � R ) [ S � C 00 � ( B � : B � R ) def such that v = v 1 ˆ v 2 and „ def S � while B C 0 � R ; – X . R [ S � C 0 � ( B � B � X ) = let W = lfp ‚ 1 ˆ ‚ 2 ` ` ` ` ` ` ` hD ; „i ` h ¸ ( D ) ; vi ` ` ` ` `! ` ! in ( B � : B � W ) ¸ def S � fg � R = R def Example: x 2 [1 ; 9] ^ x mod 2 = 0 reduces to x 2 [2 ; 8] ^ = S � C n � ‹ : : : ‹ S � C 1 � S � f C 1 : : : C n g � R n > 0 x mod 2 = 0 def (uninitialized variables) S � D C � R = S � C � ( ˚ � D � ) Not computable (undecidability). — 15 — — 13 — Approximate Fixpoint Abstraction Abstract Semantic Domain of Programs Abstract domain ♯ ♯ ♯ F F ♯ F ♯ F ♯ F ⊥ hD ] � P � ; v ; ? ; ti Approximation relation ⊑ such that: ‚ hD ] � P � ; vi ` ` ` ` hD ; „i ` ` `! ` ! ¸ F F F ] F ⊥ hence hD ] � P � ; v ; ? ; ti is a complete lattice such that F F Concrete domain F ? = ¸ ( ; ) and t X = ¸ ( [ ‚ ( X )) F ‹ ‚ v ‚ ‹ F ] ) lfp F v ‚ ( lfp F ] ) Franco-Japanese Workshop on Security — 14 — ľ P. Cousot September 5–7, 2005 — 16 — ľ P. Cousot

  5. Abstract Reachability Semantics of Programs Abstract Semantics with Convergence Acceleration 2 def def S ] � X = E ; � R S ] � X = E ; � R = ¸ ( f  [ X E � E �  ] j  2 ‚ ( R ) \ dom ( E ) g ) = ¸ ( f  [ X E � E �  ] j  2 ‚ ( R ) \ dom ( E ) g ) def def S ] � if B C 0 � R = S ] � C 0 � ( B ] � B � R ) t B ] � : B � R S ] � if B C 0 � R = S ] � C 0 � ( B ] � B � R ) t B ] � : B � R def def B ] � B � R B ] � B � R = ¸ ( f  2 ‚ ( R ) \ dom ( B ) j B holds in  g ) = ¸ ( f  2 ‚ ( R ) \ dom ( B ) j B holds in  g ) S ] � if B C 0 else C 00 � R def = S ] � C 0 � ( B ] � B � R ) t S ] � C 00 � ( B ] � : B � R ) S ] � if B C 0 else C 00 � R def = S ] � C 0 � ( B ] � B � R ) t S ] � C 00 � ( B ] � : B � R ) v def def = let F ] = – X . let Y = R t S ] � C 0 � ( B ] � B � X ) S ] � while B C 0 � R ? – X . R t S ] � C 0 � ( B ] � B � X ) S ] � while B C 0 � R = let W = lfp � in if Y v X then X else X in ( B ] � : B � W ) Y v ? F ] in ( B ] � : B � W ) def and W = lfp S ] � fg � R = R def S ] � fg � R def S ] � f C 1 : : : C n g � R = S ] � C n � ‹ : : : ‹ S ] � C 1 � = R n > 0 def S ] � f C 1 : : : C n g � R = S ] � C n � ‹ : : : ‹ S ] � C 1 � def S ] � D C � R = S ] � C � ( > ) n > 0 (uninitialized variables) def S ] � D C � R = S ] � C � ( > ) (uninitialized variables) — 17 — Convergence Acceleration with Widening — 19 — ♯ ▽ Abstract domain F ♯ F ▽ ♯ F ▽ ♯ ♯ F Applications of Abstract Interpretation ⊥ Approximation relation ⊑ F F F ] F ⊥ F F Concrete domain F 2 Note: F ] not monotonic! Franco-Japanese Workshop on Security — 18 — ľ P. Cousot September 5–7, 2005 — 20 — ľ P. Cousot

Recommend

More recommend