heap cloning enabling
play

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs - PDF document

Aug 01, 2023 •328 likes •558 views

11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30

  1. 11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30 Systems 25 Verification 20 15 Security 10 Programming Languages 5 Software 0 Engineering 2005 2006 2007 2008 2009 2010 2011 Estimated number of publications related to symbolic execution. The list of papers available at: http://sites.google.com/site/symexbib 1

  2. 11/27/2011 Symbolic Execution 35 Databases 30 Systems 25 Goal of this work is to enable correct Verification 20 symbolic execution of real-world Java 15 Security programs with minimal manual effort. 10 Programming Languages 5 Software 0 Engineering 2005 2006 2007 2008 2009 2010 2011 Estimated number of publications related to symbolic execution. The list of papers available at: http://sites.google.com/site/symexbib Outline • Problem • Heap Cloning • Empirical evaluation • Conclusion 2

  3. 11/27/2011 Outline • Problem • Heap Cloning • Empirical evaluation • Conclusion Symbolic Execution of Real-World Programs P’ not symbolically executed because: To be P’ 1. P’ uses difficult -to- symbolically executed handle Java features Not to be such as native methods. symbolically 2. symbolic execution of P’ P executed is mostly unnecessary. Program 3

  4. 11/27/2011 Symbolic Execution with User-specified Models Replace P’ with user-specified To be models P M P M symbolically executed Impractical! Requires significant P manual effort. Program Dynamic Symbolic Execution Symbolic execution P: to be symbolically executed P’: not to be symbolically executed Concrete execution Call/return P’ No manual effort to write models P Program 4

  5. 11/27/2011 Example class A { void negate() { int f; this.f = -this.f; A(int x) { } this.f = x; Java version of } native method negate native void negate(); } Example class A { int f; Task: A(int x) { Perform dynamic symbolic this.f = x; execution along the path (1-2- } 3-4-5-7) that program takes for concrete input -10. native void negate(); Requirement: void main() { Native method negate() not 1 x = read(); 2 m = new A(x); to be symbolically executed 3 if(m.f < 0) 4 m.negate(); 5 if(m.f < 0) 6 error(); 7 exit(); } } 5

  6. 11/27/2011 Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) 4 m.negate(); 5 if(m.f < 0) 6 error(); Continued on 7 exit(); next slide -10, X 0 x PC: true state before: m = new A(x) Dynamic Symbolic Execution 1 x = read(); Path Constraint (PC) of a 2 m = new A(x); 3 if(m.f < 0) path is a constraint of input 4 m.negate(); values. 5 if(m.f < 0) 6 error(); Continued on 7 exit(); next slide If PC is unsatisfiable, the path is infeasible. -10, X 0 If PC is satisfiable, any x solution of PC is a program PC: true input that takes the corresponding program path. state before: m = new A(x) 6

  7. 11/27/2011 Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) 4 m.negate(); 5 if(m.f < 0) 6 error(); Continued on 7 exit(); next slide f -10, X 0 A -10, X 0 x m x PC: true PC: true state before: m = new A(x) state before: if(m.f < 0) Differences between two successive states are shown in Red . Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) 4 m.negate(); 5 if(m.f < 0) 6 error(); Continued on 7 exit(); next slide f f -10, X 0 -10, X 0 A -10, X 0 A x m x m x PC: true PC: X 0 < 0 PC: true state before: m = new A(x) state before: if(m.f < 0) state before: m.negate() Differences between two successive states are shown in Red . 7

  8. 11/27/2011 Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) 4 m.negate(); 5 if(m.f < 0) Continued 6 error(); from prev. 7 exit(); slide Without model of negate native method f -10, X 0 A m x PC: X 0 < 0 state before: m.negate() Differences between two successive states are shown in Red . Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) 4 m.negate(); 5 if(m.f < 0) Continued 6 error(); from prev. 7 exit(); slide Without model of negate native method f f -10, X 0 10, X 0 -10, X 0 A A m x m x PC: X 0 < 0 PC: X 0 < 0 state before: m.negate() states before: if(m.f < 0) Differences between two successive states are shown in Red . 8

  9. 11/27/2011 Dynamic Symbolic Execution 1 x = read(); Concrete value of the field 2 m = new A(x); changed from -10 to 10. But, 3 if(m.f < 0) 4 m.negate(); symbolic value X 0 did not 5 if(m.f < 0) change. Continued 6 error(); from prev. 7 exit(); slide Without model of negate native method f f -10, X 0 10, X 0 -10, X 0 A A m x m x PC: X 0 < 0 PC: X 0 < 0 state before: m.negate() states before: if(m.f < 0) Differences between two successive states are shown in Red . Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) UNSAT Solve PC: X 0 < 0 & X 0 >= 0 4 m.negate(); 5 if(m.f < 0) Continued 6 error(); from prev. 7 exit(); slide Without model of negate native method -10, X 0 10, X 0 -10, X 0 A A m x m x PC: X 0 < 0 PC: X 0 < 0 state before: m.negate() states before: if(m.f < 0) Differences between two successive states are shown in Red . 9

  10. 11/27/2011 Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) UNSAT Solve PC: X 0 < 0 & X 0 >= 0 4 m.negate(); 5 if(m.f < 0) Continued 6 error(); from prev. 7 exit(); Meaning: there is no slide Without model of negate native method input that takes the path 1-2-3-4-5-7 -10, X 0 10, X 0 -10, X 0 A A Incorrect! m x m x PC: X 0 < 0 PC: X 0 < 0 state before: m.negate() states before: if(m.f < 0) Differences between two successive states are shown in Red . Dynamic Symbolic Execution with Models 1 x = read(); void negate() { 2 m = new A(x); this.f = -this.f; 3 if(m.f < 0) } 4 m.negate(); User-specified 5 if(m.f < 0) model of negate Continued 6 error(); from prev. 7 exit(); slide -10, X 0 A m x PC: X 0 < 0 state before: m.negate() Differences between two successive states are shown in Red . 10

  11. 11/27/2011 Dynamic Symbolic Execution with Models 1 x = read(); void negate() { 2 m = new A(x); this.f = -this.f; 3 if(m.f < 0) } 4 m.negate(); User-specified 5 if(m.f < 0) model of negate Continued 6 error(); from prev. 7 exit(); slide With model of negate native method -10, X 0 10, -X 0 -10, X 0 A A m x m x PC: X 0 < 0 PC: X 0 < 0 state before: m.negate() states before: if(m.f < 0) Differences between two successive states are shown in Red . Dynamic Symbolic Execution with Models 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) X 0 = -1 Solve PC: X 0 < 0 & -X 0 >= 0 4 m.negate(); 5 if(m.f < 0) Continued 6 error(); from prev. 7 exit(); slide With model of negate native method -10, X 0 10, -X 0 -10, X 0 A A m x m x PC: X 0 < 0 PC: X 0 < 0 state before: m.negate() states before: if(m.f < 0) Differences between two successive states are shown in Red . 11

  12. 11/27/2011 But, Models Not Always Needed for Soundness! void negate() { this.f = -this.f; } Modified example Original example 1 x = read(); 1 x = read(); 2 m = new A(x); 2 m = new A(x); 3 if(m.f < 0) 3 if(m.f < 0) 4 m.negate(); 4 m.negate(); 5 if(m.f < 0) 5 if(x < 0) 6 error(); 6 error(); 7 exit(); 7 exit(); But, Models Not Always Needed for Soundness! void negate() { Stmt at line 5 uses the Stmt at line 5 does not Stmt at line 5 uses the Stmt at line 5 does not this.f = -this.f; value defined inside use the value defined value defined inside use the value defined } negate method. inside negate method. inside negate method. negate method . Modified example Original example Thus, negate Thus, negate does not introduces imprecision. introduce imprecision. 1 x = read(); 1 x = read(); Thus, model for negate 2 m = new A(x); 2 m = new A(x); Thus, no need for model for negate . is needed. 3 if(m.f < 0) 3 if(m.f < 0) 4 m.negate(); 4 m.negate(); 5 if(m.f < 0) 5 if(x < 0) 6 error(); 6 error(); 7 exit(); 7 exit(); 12

  13. 11/27/2011 Goal and Approach Goal: Identify where imprecision is introduced and report to user. User then provides models for only a subset methods in P’ to eliminate imprecision. Approach : 1. Transform the program using Heap Cloning. 2. Perform dynamic symbolic execution of the transformed program without any models 3. Detect and report where imprecision might be introduced. Outline • Problem • Heap Cloning • Empirical evaluation • Conclusion 13

  14. 11/27/2011 Heap Cloning Heap Cloning Original Transformed Program P Program P T Transformation 1. Symbolic execution of P T generates same results as symbolic execution of P. 2. However, if imprecision is introduced during symbolic execution of P T , it can be detected and reported to user. Heap Cloning For every class A, Heap class HC.java.lang.Object { … Cloning generates HC.A. } For each field (method) class HC.A extends of A, HC.A has a HC.java.lang.Object { corresponding field (method). If class A extends class HC.A m = new HC.A(); B, HC.A extends HC.B Almost all references to } A are changed to HC.A 14

Recommend

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris Lattner Andrew Lenharth Vikram Adve Apple UIUC UIUC What is Heap Cloning? Distinguish objects by acyclic call path void foo() { list*

556 views • 28 slides
PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

ERIE COUNTY DEPARTMENT OF SOCIAL SERVICES Program Overview PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low income households to reduce energy expense s. HEAP PROGRAMS Regular HEAP Available

531 views • 14 slides
Cloning Tools Photoshop Tutorials Introduction In a skilled and experienced hand, the cloning

Cloning Tools Photoshop Tutorials Introduction In a skilled and experienced hand, the cloning

Cloning Tools Photoshop Tutorials Introduction In a skilled and experienced hand, the cloning tools lead to phenomenal results. In the hands of a careless artist, Photoshop cloning can be disastrous to the credibility of the result. This

266 views • 25 slides
Datalog. by Franois Gauthier It all began with a qualifying exam Among the heap of papers I

Datalog. by Franois Gauthier It all began with a qualifying exam Among the heap of papers I

Simplified data-flow analysis with Datalog. by Franois Gauthier It all began with a qualifying exam Among the heap of papers I had to read, there was this one: Cloning-based context-sensitive pointer alias analysis using binary decision

578 views • 28 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Looking for someone to do presentation on cloning &gt;&gt;&gt;CLICK HERE&lt;&lt;&lt; Looking for

Looking for someone to do presentation on cloning &gt;&gt;&gt;CLICK HERE&lt;&lt;&lt; Looking for

Looking for someone to do presentation on cloning. Trust the best User Feed back Thank you so much for the essay. Moreover, we never resell our papers. Looking for someone to do presentation on cloning &gt;&gt;&gt;CLICK HERE&lt;&lt;&lt;

192 views • 3 slides
SHEEP CLONING Paley Li, Nicholas Cameron, and James Noble 2 Object cloning How do you do

SHEEP CLONING Paley Li, Nicholas Cameron, and James Noble 2 Object cloning How do you do

1 SHEEP CLONING Paley Li, Nicholas Cameron, and James Noble 2 Object cloning How do you do object cloning? 3 Shallow cloning Copies an object and alias the references in that object. 3 Shallow cloning Copies an object and alias

833 views • 79 slides
Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The binomial heap allows for efficient union, which can not be done efficiently in the binary heap. The extra cost paid is the minimum operation, which

560 views • 24 slides
ENZYMES IN CLONING PART I Dr.Sarookhani / / Cloning Cloning -

ENZYMES IN CLONING PART I Dr.Sarookhani / / Cloning Cloning -

/ / ENZYMES IN CLONING PART I Dr.Sarookhani / / Cloning Cloning - - a definition a definition From the Greek From the Greek - - klon, a twig klon, a twig An

856 views • 61 slides
When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's first hire in July, 2013. Previously an engineer at Palantir. Studied Math &amp; CS at Stanford. What we'll talk about: 1. What is Heap? 2.

695 views • 47 slides
heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O ( n ) analysis via picture (learn) or using summations (know result) data structures and algorithms building a heap one-by-one in O ( n log n ) 2020

672 views • 7 slides
Ligase-Independent Cloning Ligase-Independent Cloning for BioBrick Preparation for BioBrick

Ligase-Independent Cloning Ligase-Independent Cloning for BioBrick Preparation for BioBrick

Ligase-Independent Cloning Ligase-Independent Cloning for BioBrick Preparation for BioBrick Preparation Calvin Christian School Lethbridge, Alberta, Canada November 2008 Lethbridge CCS Team Lethbridge Edmonton Calgary Lethbridge, Alberta,

700 views • 36 slides
Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7 7 11 8 8 9 7 7 11 8 10 10 input array = [-, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11] Start at rightmost array position that has a child.

522 views • 9 slides
Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure through non-traditional exploitation techniques Justin N. Ferguson // BH2007 The heap, what is it? Globally scoped data structure

906 views • 58 slides
CSC2621 Topics in Robotics Reinforcement Learning in Robotics Week 2: Behavioral Cloning from

CSC2621 Topics in Robotics Reinforcement Learning in Robotics Week 2: Behavioral Cloning from

CSC2621 Topics in Robotics Reinforcement Learning in Robotics Week 2: Behavioral Cloning from Observation Tingwu Wang, Dylan Turpin, Animesh Garg Agenda Background Problem Setting Behavior Cloning / Dagger Generative Adversarial

411 views • 12 slides
Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money Theorems and Quantum Money Zhengfeng Ji (UTS:QSI) QCrypt 2018, Shanghai 1 . 1 A Joint Work With A Joint Work With Yi-Kai Liu Fang Song (NIST and

257 views • 24 slides
In the Beginning was the Word Stephen Heap In the Beginning was the Word

In the Beginning was the Word Stephen Heap In the Beginning was the Word

In the Beginning was the Word Stephen Heap In the Beginning was the Word s.heap@uq.edu.au Stephen Heap s.heap@uq.edu.au Reading skill is based on three kinds of knowledge A fluent reader must have knowledge of: Language : word

480 views • 46 slides
A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three segments are: code , read-only data and global data for the running process gurka. Then there is a segment for the heap . The segment marked with

399 views • 10 slides
Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why

Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why

Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why it called Fibonacci (the proof) Priority Queue in Dijkstra Fibonacci Heap Operation Binary Heap Fibonacci Heap Find-Min O (1) O (1) Insert O (

465 views • 21 slides
6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

Heap Menu Implementation of a priority queue Priority Queues An array, visualized as a nearly complete binary tree Max Heap Property: The key of a node is than the keys of Heaps its children (Min Heap defined

202 views • 7 slides
Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of

Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of

Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of operations: Initialize Heap : creates new empty heap Is Empty : returns true if heap is empty Insert ( key,data ): inserts ( key,data

956 views • 51 slides
Genes can be cloned in recombinant plasmids Gene cloning Enzymes are used to cut and paste

Genes can be cloned in recombinant plasmids Gene cloning Enzymes are used to cut and paste

Genes can be cloned in recombinant plasmids Gene cloning Enzymes are used to cut and paste DNA Cloned genes can be stored in genomic libraries Reverse transcriptase can help make genes for cloning Nucleic acid probes identify clones

594 views • 8 slides
Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 ,

Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 ,

Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 , Anastasios Papagiannis 1 , Foivos Zakkak 2 , Polyvios Pratikakis 1 , and Angelos Bilas 1 1 University of Crete &amp; Foundation of Research and

457 views • 19 slides

More recommend