introduction to static analysis for assurance
play

Introduction to Static Analysis for Assurance John Rushby Computer - PowerPoint PPT Presentation

Jan 09, 2024 •387 likes •732 views

Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby Static Analysis for Assurance: 1 Overview What is static analysis? Examples of some techniques

  1. Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby Static Analysis for Assurance: 1

  2. Overview • What is static analysis? • Examples of some techniques • Tradeoffs • Commercial static analyzers • Use in Assurance John Rushby Static Analysis for Assurance: 2

  3. What Does This Program Do? • Context: we have developed a program and want some evidence about what it does and doesn’t do • I’ll call it a program, even though it’s probably an embedded system with multiple software components ◦ That makes use of systems software and libraries ◦ And interacts with hardware We’ll come to these complexities later • Evidence is a pretty strong notion: intended for assurance ◦ Never does certain things ⋆ e.g., a runtime exception ◦ Always does a certain thing ⋆ e.g., delivers a good value to the actuator Weaker notions can be useful for bug finding John Rushby Static Analysis for Assurance: 3

  4. Evidence About Program Behavior • One approach is testing • We generate many tests and observe the program in execution ◦ We are looking at the real thing—that’s good ◦ But how can we get evidence for always and never? ◦ Usually some notion of coverage, but it falls short of evidence • Let’s look at an example John Rushby Static Analysis for Assurance: 4

  5. The Bug That Stopped The Zunes Real time clock sets days to number of days since 1 Jan 1980 year = ORIGINYEAR; /* = 1980 */ while (days > 365) { if (IsLeapYear(year)) { if (days > 366) { days -= 366; year += 1; } else... loops forever on last day of a leap year } else { days -= 365; year += 1; } } Coverage-based testing will find this John Rushby Static Analysis for Assurance: 5

  6. A Hasty Fix while (days > 365) { if (IsLeapYear(year)) { if (days > 365) { days -= 366; year += 1; } } else { days -= 365; year += 1; } } • Fixes the loop but now days can end up as zero • Coverage-based testing might not find this • Boundary condition testing would • But I think the point is clear. . . John Rushby Static Analysis for Assurance: 6

  7. The Problem With Testing • Is that it only samples the set of possible behaviors • And unlike physical systems (where many engineers gained their experience), software systems are discontinuous • There is no sound basis for extrapolating from tested to untested cases • So we need to consider all possible cases. . . how is this possible? • It’s possible with symbolic methods • Cf. x 2 − y 2 = ( x − y )( x + y ) vs. 5*5-3*3 = (5-3)*(5+3) • Static Analysis is about totally automated ways to do this John Rushby Static Analysis for Assurance: 7

  8. The Zune Example Again [days > 0] while (days > 365) { [days > 365] if (*)) { if (days > 365) { [days > 365] days -= 366; [days >= 0] year += 1; } } else { [days > 365] days -= 365; [days > 0] year += 1; } } [days >= 0 and days <= 365] John Rushby Static Analysis for Assurance: 8

  9. Approximations • We were lucky that we could do the previous example with full symbolic arithmetic • Usually, the formulas get bigger and bigger as we accumulate information from loop iterations (we’ll see an example later) • So it’s common to approximate or abstract information to try and keep the formulas manageable • Here, instead of the natural numbers 0, 1, 2, . . . , we could use ◦ zero, small, big ◦ Where big abstracts everything bigger than 365, small is everything from 1 to 365, and zero is 0 ◦ Arithmetic becomes nondeterministic ⋆ e.g., small+small = small | big John Rushby Static Analysis for Assurance: 9

  10. The Zune Example Abstracted [days = small | big] while (days = big) { [days = big] if (*)) { if (days = big ) { [days = big ] days -= big; [days = big | small | zero] year += 1; } } else { [days = big] days -= small; [days = big | small] year += 1; } } [days = small | zero] John Rushby Static Analysis for Assurance: 10

  11. The Zune Example Abstracted Again Suppose we abstracted to { negative, zero, positive } [days = positive] while (days = positive) { [days = positive] if (*)) { if (days = positive ) { [days = positive ] days -= positive; [days = negative | zero | positive] year += 1; } } else { [days = positive] days -= positive; [days = negative | zero | positive] year += 1; } } [days = negative | zero] We’ve lost too much information: have a false alarm that days can go negative (pointer analysis is sometimes this crude) John Rushby Static Analysis for Assurance: 11

  12. We Have To Approximate, But There’s A Price • It’s no accident that we sometimes lose precision • Rice’s Theorem says there are inherent limits on what can be accomplished by automated analysis of programs ◦ Sound (miss no errors) ◦ Complete (no false alarms) ◦ Automatic ◦ Allow arbitrary (unbounded) memory structures ◦ Final results Choose at most 4 of the 5 John Rushby Static Analysis for Assurance: 12

  13. Approximations approximation reachable states Sound approximations include all the behaviors and reachable states of the real system, but are easier to compute John Rushby Static Analysis for Assurance: 13

  14. But Sound Approximations Come with a Price approximation false alarm reachable states May flag an error that is unreachable in the real system: a false positive, or false alarm John Rushby Static Analysis for Assurance: 14

  15. Unsound Approximations Come with a Price, Too underapproximation false reachable states negative Can miss real errors: a false negative John Rushby Static Analysis for Assurance: 15

  16. Predicate Abstraction • The Zune example used data abstraction ◦ A kind of abstract interpretation • Replaces variables of complex data types by simpler (often finite) ones ◦ e.g., integers replaced by { negative, zero, positive } • But sometimes this doesn’t work ◦ Just replaces individual variables ◦ Often its the relationship between variables that matters • Predicate abstraction replaces some relationships (predicates) by Boolean variables John Rushby Static Analysis for Assurance: 16

  17. Another Example start with r unlocked do { lock(r) old = new if (*) { unlock(r) new++ } } while old != new want r to be locked at this point unlock(r) John Rushby Static Analysis for Assurance: 17

  18. Abstracted Example The significant relationship seems to be old == new Replace this by eq , throw away old and new [!locked] do { lock(r) [locked] eq = true [locked, eq] if (*) { unlock(r) [!locked, eq] eq = false [!locked, !eq] } } [locked, eq] or [!locked, !eq] while not eq [locked, eq] unlock(r) John Rushby Static Analysis for Assurance: 18

  19. Yet Another Example z := n; x := 0; y := 0; while (z > 0) { if (*) { x := x+1; z := z-1; } else { y := y+1; z := z-1; } } want y!= 0, given x != z, n > 0 • The invariant needed is x + y + z = n • But neither this nor its fragments appear in the program or the desired property John Rushby Static Analysis for Assurance: 19

  20. Let’s Just Go Ahead First time into the loop [n > 0] z := n; x := 0; y := 0; while (z > 0) { [x = 0, y = 0, z = n] if (*) { x := x+1; z := z-1; [x = 1, y = 0, z = n-1] } else { y := y+1; z := z-1; [x = 0, y = 1, z = n-1] } [x = 1, y = 0, z = n-1] or [x = 0, y = 1, z = n-1] } Next time around the loop we’ll have 4 disjuncts, then 8, then 16, and so on This won’t get us anywhere useful John Rushby Static Analysis for Assurance: 20

  21. Widening the Abstraction • We could try eliminate disjuncts • Look for a conjunction that is implied by each of the disjuncts • One such is [x+y = 1, z = n-1] • Then we’d need to do the same thing with [x+y = 1, z = n-1] or [x = 0, y = 0, z = n] • That gives [x + y + z = n] • There are techniques that can do this automatically • This is where a lot of the research action is John Rushby Static Analysis for Assurance: 21

  22. Tradeoffs • We’re trying to guarantee absence of errors in a certain class • Equivalently, trying to verify properties of a certain class • Terminology is in terms of finding errors TP True Positive: found a real error FP False Positive: false alarm TN True Negative: no error, no alarm—OK FN False Negative: missed error • Then we have Sound: no false negatives Recall: TP/(TP+FN) measures how (un)sound TP+FN is number of real errors Complete: no false alarms Precision: TP/(TP+FP) measures how (in)complete TP+FP is number of alarms John Rushby Static Analysis for Assurance: 22

  23. Tradeoff Space • Basic tradeoff is between soundness and completeness • For assurance, we need soundness ◦ When told there are no errors, there must be none So have to accept false alarms • But the main market for static analysis is bug finding in general-purpose software, where they aim merely to reduce the number of bugs, not to eliminate them • Their general customers will not tolerate many false alarms, so tool vendors give up soundness • Will consider the implications later • Other tradeoffs are possible ◦ Give up full automation: e.g., require user annotation John Rushby Static Analysis for Assurance: 23

Recommend

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

490 views • 37 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Static Assurance with Types Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020

Static Assurance with Types Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020

Static Assurance Phantom Types GADTs Type Families Software System Design and Implementation Static Assurance with Types Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Static Assurance Phantom Types GADTs Type

1.09k views • 81 slides
CMSC 430 Introduction to Compilers Fall 2018 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Fall 2018 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Fall 2018 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis It all looks good on paper, and in papers

317 views • 27 slides
CMSC 430 Introduction to Compilers Spring 2016 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Spring 2016 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Spring 2016 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis #!@? It all looks good on paper, and in

318 views • 28 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
Notes for State of the Art Report on Type Systems and Static Analysis for Distributed Programming

Notes for State of the Art Report on Type Systems and Static Analysis for Distributed Programming

Notes for State of the Art Report on Type Systems and Static Analysis for Distributed Programming Languages J. Rathke Mikado meeting Lisbon, June 2002 p.1/7 Introduction Why use typed languages? What is typed static analysis?

118 views • 7 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 149 Outline Introduction 1 Formal

861 views • 68 slides
GPU-Accelerated Static Timing Analysis Zizheng Guo 1 , Tsung-Wei Huang 2 , Yibo Lin 1 1 CS

GPU-Accelerated Static Timing Analysis Zizheng Guo 1 , Tsung-Wei Huang 2 , Yibo Lin 1 1 CS

GPU-Accelerated Static Timing Analysis Zizheng Guo 1 , Tsung-Wei Huang 2 , Yibo Lin 1 1 CS Department, Peking University 2 ECE Department, University of Utah Outline 2 Introduction Static timing analysis (STA) Previous work on STA

800 views • 23 slides
Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen,

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen,

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang &amp; Anders Mller Sound static analysis for JavaScript Static analysis for JavaScript is very challenging o[m]() 2 /17

605 views • 36 slides
Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview TDDC90: Software Security Syntactic Analysis Ahmed Rezine Abstract Interpretation IDA, Linkpings Universitet Hsttermin 2014 Static Program

75 views • 7 slides
Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ? Jael E. Kriener

Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ? Jael E. Kriener

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet... Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ? Jael E. Kriener University of Kent, Canterbury November 18, 2011

429 views • 25 slides

More recommend