introduction to static analysis
play

Introduction to Static Analysis 17654: Analysis of Software - PDF document

Apr 12, 2023 •436 likes •904 views

Introduction to Static Analysis 17654: Analysis of Software Artifacts Jonathan Aldrich

  1. Introduction to Static Analysis 17�654: Analysis of Software Artifacts Jonathan Aldrich ��������� �������������������������������������������������������� � ���������������� Find the Bug! Source: Engler et al., ���������������������� ������������������������������������������ ������������������� , OSDI ’00. disable interrupts ���������������� ������������������������ re�enable interrupts ��������� �������������������������������������������������������� � ���������������� 1

  2. Metal Interrupt Analysis Source: Engler et al., ���������������������� ������������������������������������������ ������������������� , OSDI ’00. enable => err(double enable) is_enabled enable disable is_disabled end path => err(end path with/intr disabled) disable => err(double disable) ��������� �������������������������������������������������������� � ���������������� Applying the Analysis Source: Engler et al., ���������������������� ������������������������������������������ ������������������� , OSDI ’00. initial state is_enabled transition to is_disabled final state is_disabled: ERROR! transition to is_enabled final state is_enabled is OK ��������� �������������������������������������������������������� � ���������������� 2

  3. Outline • Why static analysis? • The limits of testing and inspection • What is static analysis? • How does static analysis work? • AST Analysis • Dataflow Analysis ��������� �������������������������������������������������������� � ���������������� ��������� �������������������������������������������������������� � ���������������� 3

  4. Process, Cost, and Quality Slide: William Scherlis ���������"���#�"���"�� �$$����"������("������ �����"����"$��"�%�����"� �"$�����������"��$�$���� ����$������&��$��� �������(����%� ���������'������ �!%��#�!�"� ���������" *�"�����"�)��+ ��������������!�� ����%��)����� �������� ������� ������� ����������� ���� ������������������������������������������������ ��������������������� ������������������� � � ����!������������ ��������� �������������������������������������������������������� � ���������������� Root Causes of Errors • Requirements problems • Don’t fit user needs ����������������������������� • Design flaws Hard Does design achieve goals? • Lacks required qualities Is design implemented right? • Implementation errors • Assign Is data initialized? � • Checking Security Is dereference/indexing valid? • Algorithm • Timing Are threads synchronized? Hard • Interface Are interface semantics followed? • Relationship Are invariants maintained? Taxonomy: [Chillarege et al., Orthogonal Defect Classification] ��������� �������������������������������������������������������� � ���������������� 4

  5. Existing Approaches • Testing: �������������� • Limitations ������ • Non�local interactions • Uncommon paths • Verifies features work • Non�determinism • Finds algorithmic problems • Static analysis: �����!����� ���������� • Inspection: ������� ������� • Verifies non�local ������ consistency • Missing requirements • Checks all paths • Design problems • Considers all non� • Style issues deterministic choices • Application logic ��������� �������������������������������������������������������� � ���������������� Static Analysis Finds “Mechanical” Errors • Defects that result from inconsistently following simple, mechanical design rules • Security vulnerabilities • Buffer overruns, unvalidated inputK • Memory errors • Null dereference, uninitialized dataK • Resource leaks • Memory, OS resourcesK • Violations of API or framework rules • e.g. Windows device drivers; real time libraries; GUI frameworks • Exceptions • Arithmetic/library/user�defined • Encapsulation violations • Accessing internal data, calling private functionsK • Race conditions • Two threads access the same data without synchronization ��������� �������������������������������������������������������� �� ���������������� 5

  6. Empirical Results on Static Analysis • Nortel study [Zheng et al. 2006] • 3 C/C++ projects • 3 million LOC total • Early generation static analysis tools • Conclusions • Cost per fault of static analysis 61�72% compared to inspections • Effectively finds assignment, checking faults • Can be used to find potential security vulnerabilities ��������� �������������������������������������������������������� �� ���������������� Empirical Results on Static Analysis • InfoSys study [Chaturvedi 2005] • 5 projects • Average 700 function points each • Compare inspection with and without static analysis • Conclusions • Fewer defects • Higher productivity Adapted from [Chaturvedi 2005] ��������� �������������������������������������������������������� �� ���������������� 6

  7. Quality Assurance at Microsoft (Part 1) • Original process: manual code inspection • Effective when system and team are small • Too many paths to consider as system grew • Early 1990s: add massive system and unit testing • Tests took weeks to run • Diversity of platforms and configurations • Sheer volume of tests • Inefficient detection of common patterns, security holes • Non�local, intermittent, uncommon path bugs • Was treading water in Windows Vista development • Early 2000s: add static analysis • More on this later ��������� �������������������������������������������������������� �� ���������������� Outline • Why static analysis? • What is static analysis? • Abstract state space exploration • How does static analysis work? • What do practical tools look like? • How does it fit into an organization? ��������� �������������������������������������������������������� �� ���������������� 7

Recommend

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

490 views • 37 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
CMSC 430 Introduction to Compilers Fall 2018 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Fall 2018 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Fall 2018 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis It all looks good on paper, and in papers

317 views • 27 slides
CMSC 430 Introduction to Compilers Spring 2016 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Spring 2016 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Spring 2016 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis #!@? It all looks good on paper, and in

318 views • 28 slides
Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI

Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI

Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby Static Analysis for Assurance: 1 Overview What is static analysis? Examples of some techniques

732 views • 34 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
Notes for State of the Art Report on Type Systems and Static Analysis for Distributed Programming

Notes for State of the Art Report on Type Systems and Static Analysis for Distributed Programming

Notes for State of the Art Report on Type Systems and Static Analysis for Distributed Programming Languages J. Rathke Mikado meeting Lisbon, June 2002 p.1/7 Introduction Why use typed languages? What is typed static analysis?

118 views • 7 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 149 Outline Introduction 1 Formal

861 views • 68 slides
GPU-Accelerated Static Timing Analysis Zizheng Guo 1 , Tsung-Wei Huang 2 , Yibo Lin 1 1 CS

GPU-Accelerated Static Timing Analysis Zizheng Guo 1 , Tsung-Wei Huang 2 , Yibo Lin 1 1 CS

GPU-Accelerated Static Timing Analysis Zizheng Guo 1 , Tsung-Wei Huang 2 , Yibo Lin 1 1 CS Department, Peking University 2 ECE Department, University of Utah Outline 2 Introduction Static timing analysis (STA) Previous work on STA

800 views • 23 slides
Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen,

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen,

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang & Anders Mller Sound static analysis for JavaScript Static analysis for JavaScript is very challenging o[m]() 2 /17

605 views • 36 slides
Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview TDDC90: Software Security Syntactic Analysis Ahmed Rezine Abstract Interpretation IDA, Linkpings Universitet Hsttermin 2014 Static Program

75 views • 7 slides
Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ? Jael E. Kriener

Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ? Jael E. Kriener

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet... Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ? Jael E. Kriener University of Kent, Canterbury November 18, 2011

429 views • 25 slides

More recommend