finding software bugs using active automata learning
play

Finding Software Bugs Using Active Automata Learning Frits - PowerPoint PPT Presentation

Oct 19, 2023 •365 likes •1.15k views

Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Finding Software Bugs Using Active Automata Learning Frits Vaandrager Radboud University Nijmegen RV 2018, Limassol, November 2018

  1. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Finding Software Bugs Using Active Automata Learning Frits Vaandrager Radboud University Nijmegen RV 2018, Limassol, November 2018 Frits Vaandrager Finding Bugs Using Automata Learning

  2. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Outline Introduction to Model Learning 1 Applications 2 Theory & Tools for Model Learning 3 Conclusions and Future Work 4 Frits Vaandrager Finding Bugs Using Automata Learning

  3. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Research Question Frits Vaandrager Finding Bugs Using Automata Learning

  4. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Research Question We assume SUT behaves deterministically and can be reset. Frits Vaandrager Finding Bugs Using Automata Learning

  5. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Machine Learning in General Frits Vaandrager Finding Bugs Using Automata Learning

  6. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Learning Regular Languages Frits Vaandrager Finding Bugs Using Automata Learning

  7. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Regular Languages and Congruences Definition The equivalence relation ∼ L on Σ ∗ induced by a language L ⊆ Σ ∗ : ∀ w ∈ Σ ∗ : u · w ∈ L ⇔ v · w ∈ L u ∼ L v iff This relation is a right-congruence with respect to concatenation: ∀ u , v , w ∈ Σ ∗ : u ∼ L v ⇒ u · w ∼ L v · w Theorem (Myhill-Nerode, 1958) Language L is regular iff ∼ L has finitely equivalence classes. Frits Vaandrager Finding Bugs Using Automata Learning

  8. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Visualisation Consider the regular language a ( a | b ) ∗ b Frits Vaandrager Finding Bugs Using Automata Learning

  9. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Visualisation Consider the regular language a ( a | b ) ∗ b Frits Vaandrager Finding Bugs Using Automata Learning

  10. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix Frits Vaandrager Finding Bugs Using Automata Learning

  11. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix Frits Vaandrager Finding Bugs Using Automata Learning

  12. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix Frits Vaandrager Finding Bugs Using Automata Learning

  13. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix Frits Vaandrager Finding Bugs Using Automata Learning

  14. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix Frits Vaandrager Finding Bugs Using Automata Learning

  15. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix Frits Vaandrager Finding Bugs Using Automata Learning

  16. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix u ∼ L v iff rows of u and v in Hankel matrix for L have the same color Frits Vaandrager Finding Bugs Using Automata Learning

  17. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix u ∼ L v iff rows of u and v in Hankel matrix for L have the same color Language L is regular iff its Hankel matrix contains a finite number of distinct rows, i.e., colors Frits Vaandrager Finding Bugs Using Automata Learning

  18. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix u ∼ L v iff rows of u and v in Hankel matrix for L have the same color Language L is regular iff its Hankel matrix contains a finite number of distinct rows, i.e., colors The number of states in the smallest DFA for L equals the number of colors in the Hankel matrix Frits Vaandrager Finding Bugs Using Automata Learning

  19. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work What is the FSM for this Hankel Matrix? Frits Vaandrager Finding Bugs Using Automata Learning

  20. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work What is the FSM for this Hankel Matrix? Frits Vaandrager Finding Bugs Using Automata Learning

  21. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Solution Colors of rows in Hankel matrix give us the states. Access strings and one-letter extensions allow us to determine transitions. Column for empty suffix gives us the accepting states. Frits Vaandrager Finding Bugs Using Automata Learning

  22. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work What if Hankel Matrix is Incomplete? Problem to color such a matrix is NP-hard! Frits Vaandrager Finding Bugs Using Automata Learning

  23. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Minimally Adequate Teacher (Angluin) string MQ +/- Learner Teacher hypothesis EQ y/n, counterexample Learner asks membership queries and equivalence queries Frits Vaandrager Finding Bugs Using Automata Learning

  24. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Angluin’s L ∗ Algorithm Frits Vaandrager Finding Bugs Using Automata Learning

  25. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Black Box Checking (Peled, Vardi & Yannakakis) MQ SUL TQs CT EQ Learner Teacher Learner: Formulate hypotheses Conformance Tester (CT): Test correctness hypotheses Frits Vaandrager Finding Bugs Using Automata Learning

  26. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Black Box Checking (Peled, Vardi & Yannakakis) MQ SUL TQs CT EQ Learner Teacher Learner: Formulate hypotheses Conformance Tester (CT): Test correctness hypotheses Model learning and conformance testing two sides of same coin! Frits Vaandrager Finding Bugs Using Automata Learning

  27. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Implements MAT framework for DFAs and Mealy machines Frits Vaandrager Finding Bugs Using Automata Learning

  28. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work A Theory of Mappers (FMSD, 2015) Frits Vaandrager Finding Bugs Using Automata Learning

  29. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work A Theory of Mappers (cnt) Formally, a mapper can be viewed as a transducer (deterministic Mealy machine). A mapper A induces an abstraction operation α A and a concretization operator γ A . Theorem For a mapper A and nondeterministic Mealy machines M and H , α A ( M ) ≤ H iff M ≤ γ A ( H ) . (modulo a minor technical condition) Frits Vaandrager Finding Bugs Using Automata Learning

  30. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Our Research Method Frits Vaandrager Finding Bugs Using Automata Learning

  31. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work EMV Protocol (Aarts et al, 2013) EMV = Europay/Mastercard/Visa Compatibility between smartcards and terminals SEPA requires EMV compliance EMV standard has > 700 pages Learning took at most 1500 membership queries, less than 30 minutes Useful for fingerprinting cards Frits Vaandrager Finding Bugs Using Automata Learning

  32. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work E.dentifier2 (WOOT’14) Frits Vaandrager Finding Bugs Using Automata Learning

  33. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work State Machines for Old and New E.dentifier2 Frits Vaandrager Finding Bugs Using Automata Learning

  34. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Bugs in Protocol Implementations Standard violations found in implementations of major protocols: TLS (Usenix Security’15) TCP (CAV’16) SSH (Spin’17) Frits Vaandrager Finding Bugs Using Automata Learning

Recommend

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2

461 views • 8 slides
CALF: Categorical Automata Learning Framework Matteo Sammartino Alexandra Silva Gerco van

CALF: Categorical Automata Learning Framework Matteo Sammartino Alexandra Silva Gerco van

CALF: Categorical Automata Learning Framework Matteo Sammartino Alexandra Silva Gerco van Heerdt May 23, 2017 1 / 61 Active automata learning Active automata learning algorithms learn an automaton describing the behaviour of a system by

768 views • 61 slides
Active automata learning Based on: Bernhard Steffen, Falk Howar und Maik Merten: Introduction to

Active automata learning Based on: Bernhard Steffen, Falk Howar und Maik Merten: Introduction to

Active automata learning Based on: Bernhard Steffen, Falk Howar und Maik Merten: Introduction to Active Automata Learning from a Practical Perspective. SFM 2011: 256-296. Motivation We want to apply model-based techniques. But: often

1.85k views • 167 slides
A practical introduction to active automata learning Bernhard Steffen, Falk Howar, Maik Merten TU

A practical introduction to active automata learning Bernhard Steffen, Falk Howar, Maik Merten TU

A practical introduction to active automata learning Bernhard Steffen, Falk Howar, Maik Merten TU Dortmund SFM2011 Maik Merten, learning technology 1 Overview Motivation Introduction to active automata learning Practical aspects in

1.11k views • 84 slides
Active Automata Learning: From DFA to Interface Programs and Beyond or From Languages to Program

Active Automata Learning: From DFA to Interface Programs and Beyond or From Languages to Program

Active Automata Learning: From DFA to Interface Programs and Beyond or From Languages to Program Executions or (more technically) The Power of Counterexample Analysis Bernhard Steffen, Falk Howar, Malte Isberner TU Dortmund /CMU B. Steffen

962 views • 71 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan,

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan,

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan, Fuyuan Zhang, Geguang Pu, Zhendong Su Software Model Checking 2 Software Model Checking P 3 Software Model Checking P 4 Software

1.41k views • 114 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still missed Rare features Rare circumstances Nondeterminism Static analysis Can analyze all possible runs of a program An explosion

597 views • 25 slides
B uchi Automata and their Application to Software Verification Finite Automata Theory and

B uchi Automata and their Application to Software Verification Finite Automata Theory and

B uchi Automata and their Application to Software Verification Finite Automata Theory and Formal Languages Wolfgang Ahrendt 22nd April 2013 B uchi Automata: TMV027/DIT321 / GU 130423 1 / 25 Motivating Temporal Logic? But How to

832 views • 64 slides
Agenda Intro to Active Learning Activity Design Resources for Active Learning Lunch with Active

Agenda Intro to Active Learning Activity Design Resources for Active Learning Lunch with Active

Agenda Intro to Active Learning Activity Design Resources for Active Learning Lunch with Active Learning Veterans Wrap Up Introduction to Active Learning What is active learning? Brainstorm your ideas with your group and generate a

855 views • 42 slides
Multi-Task Active Learning Yi Zhang Outline Active Learning Multi-Task Active Learning

Multi-Task Active Learning Yi Zhang Outline Active Learning Multi-Task Active Learning

Multi-Task Active Learning Yi Zhang Outline Active Learning Multi-Task Active Learning Linguistic Annotations (ACL 08) Image Classification (CVPR 08) Current Work and Discussions Constraint-Driven Active Learning

945 views • 47 slides
Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with

Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with

Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with Andrzej Wsowski and Claus Brabrand FOSD Meeting 2014 1 / 28 Agenda 40 variability bugs in Linux: A Qualitative Study (10m) Method Example

540 views • 36 slides
ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1.

ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1.

ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1. CONSTRUCTING our TEACHING CHALLENGES in a low tech 1. ORCHESTRATION environment 1. SHOW-AND-TELL Selma Hamdani Psychology / DALC / Neuroscience

836 views • 50 slides
Active Learning Passive Learning Active Learning 1. Think 1. Acquisition of knowledge Ability

Active Learning Passive Learning Active Learning 1. Think 1. Acquisition of knowledge Ability

Active Learning Passive Learning Active Learning 1. Think 1. Acquisition of knowledge Ability 2. Decision making 2. Application of knowledge 3. Explain/communicate 1. Deep learning Approach to Uni-directional 2. Interactive Learning

282 views • 5 slides
1 Making BUGS Open 2 Adopt a module BUGS is a long running software project aiming to make

1 Making BUGS Open 2 Adopt a module BUGS is a long running software project aiming to make

1 Making BUGS Open 2 Adopt a module BUGS is a long running software project aiming to make modern MCMC Unique once in a life time opertunity. You can choose which techniques based on graphical models available to applied OpenBUGS module you

327 views • 11 slides
Learning Nominal Automata Joshua Moerman Matteo Sammartino , Alexandra Silva (Radboud University)

Learning Nominal Automata Joshua Moerman Matteo Sammartino , Alexandra Silva (Radboud University)

Learning Nominal Automata Joshua Moerman Matteo Sammartino , Alexandra Silva (Radboud University) (University College London) Bartek Klin, Micha Szynwelski (Warsaw University) POPL 2017 Paris Active learning queries System Learner

808 views • 36 slides
Testing Test Cases: Finding Errors Bug : Error in a program. (Always expect them!)

Testing Test Cases: Finding Errors Bug : Error in a program. (Always expect them!)

Mini-Lecture 9 Testing Test Cases: Finding Errors Bug : Error in a program. (Always expect them!) Debugging : Process of finding bugs and removing them. Testing : Process of analyzing, running program, looking for bugs. Test

365 views • 13 slides
Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

3.64k views • 23 slides
Finding Rare Concurrent Programming Bugs An Automatic , Symbolic , Randomized , and Parallelizable

Finding Rare Concurrent Programming Bugs An Automatic , Symbolic , Randomized , and Parallelizable

ICTAC 2018 15 th International Colloquium on Theoretical Aspects of Computing Stellenbosch, South Africa, Oct 19, 2018 Finding Rare Concurrent Programming Bugs An Automatic , Symbolic , Randomized , and Parallelizable Approach Gennaro Parlato

818 views • 59 slides
From LNK to RCE Finding bugs in Windows Shell Link Parser Lays Who am I - Lays Senior

From LNK to RCE Finding bugs in Windows Shell Link Parser Lays Who am I - Lays Senior

From LNK to RCE Finding bugs in Windows Shell Link Parser Lays Who am I - Lays Senior Researcher at TeamT5 Focus on Reverse Engineering / Vulnerability Research MSRC Most Valuable Security Researcher 2019 / 2020 Acknowledged by

1.31k views • 103 slides
12.1 Active Learning: A Review When learning, it may be the case that getting the true labels of

12.1 Active Learning: A Review When learning, it may be the case that getting the true labels of

CS/CNS/EE 253: Advanced Topics in Machine Learning Topic: Active Learning Review and Kernel Methods Lecturer: Andreas Krause Scribe: Jonathan Krause Date: Feb. 17, 2010 12.1 Active Learning: A Review When learning, it may be the case that getting

213 views • 5 slides

More recommend