Program Analysis using Weighted Pushdown Systems - PowerPoint Presentation

Slide1

Program Analysisusing Weighted Pushdown Systems

Thomas Reps,

1,2

Akash Lal,

1

and Nick Kidd

1

1

Univ. of Wisconsin

2

GrammaTech, Inc.Slide2

2

Static Program Analysis

Tool for building correct, reliable, efficient, and secure software

What states can my program reach?

Testing: run on specific (or random) inputsStatic analysis: run “in the aggregate” on descriptors of multiple states

Can e ever be out of bounds?

. . . a[e] . . .Slide3

3

Static Program Analysis

Tool for building correct, reliable, efficient, and secure software

What states can my program reach?

Testing: run on specific (or random) inputsStatic analysis: run “in the aggregate” on descriptors of multiple states

Does the program conform to policy P?Slide4

4



Sidestepping Undecidability

׃

׃

Control Flow

Graph (CFG)

Sets of States

f(SS)

SS

f

Descriptors of

State Sets

d

f

#

f

#

(d)

fSlide5

5

Intra

procedural Analysis

enter

n

V

0

JOP(n) =



pf

p

(V

0

)

p

PathsTo[n]

pf

p

= f

k



f

k-1



…



f

2



f

1

f

1

f

2

f

k-1

f

k

#

#

#

#

#

#

#

#Slide6

6

Sidestepping Undecidability

Universe of States

Reachable States

Bad States

Overapproximate the reachable states

False positive!Slide7

7

Rest of the Talk: A Story

From CFL-Reachability to Weighted Pushdown Systems

T. Reps, S. Jha, S. Schwoon, N. Kidd, A. Lal, D. Melski, T. Touili, H. Wang, G. Balakrishnan,

D. Gopan, J. Lim, S. Chaki, E. Clarke, S. StubblebinePrologueProgram analysis via CFL-reachabilitySlide8

8

Our Story’s Theme:

When the World Smiles on You

Aha!

My problem P can be cast in formalism F, and I can use a known algorithm A

FBonus Can sometimes do more, now that you know that P is an F problemBummer

I want to do “something” that F doesn’t supportAh! Extend F to do “something”

Write new paper, which is interesting because of the connection to P

Discover that the extension has applications and/or applications in the original context (i.e., F problems)Slide9

9

s

t

(

s

t

s

t

Ordinary Graph Reachability

(

e

[

e

]

e

[

e

]

]

e

)

matched

| e

|

[

matched

]

|

(

matched

)

|

matched

matched

CFL-Reachability

s

e

e

e

e

e

e

[

[

[

t

)

]

]

]Slide10

10

CFL-Reachability

via Dynamic Programming

Grammar

Graph

B

C

A

A



B

C

O(V

3

) [Yannakakis 90]

o(V

3

) [Chaudhuri 08]Slide11

11

x = 3

p(x,y)

return from p

printf(y)

start main

exit main

if

. . .

b = a

printf(b)

p(a,b)

return from p

exit p

start p(a,b)

]

(

(

)Slide12

12

Inter

procedural Analysis

JOVP(n) =



pfp(V0)

p

MatchedPathsTo[n]

start

n

V

0

ret

(

)

f

1

f

2

f

k-1

f

k

f

3

f

4

f

5

f

k-2

f

k-3

call

q

enter

q

exit

q

#

#

#

#

#

#

#

#

#Slide13

13

Representing Distributive Functions

[RHS95]

Identity Function

Constant Function

a

b

c

a

b

c

f({

a

,

b

}) = {

a

,

b

}

f =

λ

V.V

f({

a

,

b

}) = {

b

}

f =

λ

V.

{

b

}



Slide14

14

“Gen/Kill” Function

Non-“Gen/Kill” Function

a

b

c

a

b

c

Representing Distributive Functions

[RHS95]

f({

a

,

b

}) = {

a

,

c

}

f({

a

,

b

}) = {

a

,

b

}

f =

λ

V.

(

V



{

b

})



{

c

}

f =

λ

V.

if

a



V

then

V



{

b

}

else

V



{

b

}



Slide15

15

x = 3

p(x,y)

return from p

printf(y)

start main

exit main

start p(a,b)

if

. . .

b = a

p(a,b)

return from p

printf(b)

exit p

x

y

a

b



Slide16

16

x = 3

p(x,y)

return from p

printf(y)

start main

exit main

start p(a,b)

if

. . .

b = a

p(a,b)

return from p

printf(b)

exit p

x

y

a

b





Might y be

uninitialized

here?

YES!

(

)

Might b be

uninitialized

here?

NO!Slide17

17

CFL-Reachability Advantages

Intuitive

good conceptual model for understanding many dataflow-analysis results

Linear-time algorithms for some variantsSlide18

18

Unifying Conceptual Model

for Dataflow-Analysis Literature

Linear-time gen-kill

[Hecht 76], [Kou 77]Path-constrained DFA [Holley & Rosen 81]

Linear-time GMOD [Cooper & Kennedy 88]Flow-sensitive MOD [Callahan 88]Linear-time interprocedural gen-kill [Knoop & Steffen 93]Linear-time bidirectional gen-kill [Dhamdhere 94]Relationship to interprocedural DFA [Sharir & Pneuli 81], [Knoop & Steffen 92]Slide19

19

. . . As Well As . . .

Flow-insensitive points-to analysis

Model checking of recursive hierarchical finite-state machines

Analysis of attribute grammars

Security of crypto-based protocols for distributed systems [Dolev, Even, & Karp 83]Formal-language problemsCFL-recognition (given G and , is

  L(G)?)2DPDA- and 2NPDA-simulationGiven M and , is





L(M)?

String-matching problemsSlide20

20

Rest of the Talk: A Story

From CFL-Reachability to Weighted Pushdown Systems

T. Reps, S. Jha, S. Schwoon, N. Kidd, A. Lal, D. Melski, T. Touili, H. Wang, G. Balakrishnan,

D. Gopan, J. Lim, S. Chaki, E. Clarke, S. StubblebineSlide21

21

Our Story

Prologue

Program analysis via CFL-reachability

Chapter 1Cubic-time algorithm for certificate-chain discovery in SPKI/SDSI:

D. Clarke, J.-E. Elien, C.M. Ellison, M. Fredette, A. Morcos, and R.L. Rivest, Certificate chain discovery in SPKI/SDSI, JCS, 2001Slide22

22

Authorization to Use Shared Resources

Traditionally, use access control lists (ACLs)

Associate permissions with objects

E.g., AFS permissions for directory D

reps rlidwkatouili rlidwkreps:students rlSlide23

23

Trust Management

Express security policy in a formal language

Digitally signed statements

Bob: Joe is my student

[C1]Alice: All of Bob’s students can access host H [C2]Find a proof of authorization“certificate-chain discovery”Joe provides “proof of authorization” to Alice C1 + C2Proof is checked and Joe is granted access

“compliance checking”Examples: Keynote [Blaze et al.], Referee [Chu et al.], RT* [Li and Mitchell], SD3 [Jim], Binder[DeTreville], …Slide24

24

SPKI

Ellison, Frantz, Thomas, & Ylonen

SDSI

Lampson and RivestSPKI/SDSIEllison, Frantz, Lampson, Rivest, Thomas, & Ylonen

Local name spacesreps studentreps student spouseDelegationSPKI/SDSISlide25

25

SPKI/SDSI

Principals (Public Keys)

K

Bob, KAlice Individuals

KCS CS Department KOwner[R]

Owner of resource R

Local Names

K

CS

faculty

K

Bob

myStudents

Extended Names

K

Bob

myStudents SpouseSlide26

26

Name Certs

Bob is a CS faculty member

K

CS

faculty  KBob

Alice is a student of Bob’s

K

Bob

myStudents



K

Alice

Alice’s friends . . .

K

Alice

myFriends



K

Joe KAlice myFriends 

KMary enemies KAlice myFriends  KMary enemies spouse

Each name cert also has a

validity specification

(usually a time interval)Slide27

27

Auth Certs

A CS faculty member can use host H

K

Owner[H]

  KCS faculty 

Bob allows access to his students

K

Bob





K

Bob

myStudents



Can delegate

Cannot

delegate

Alice allows access to her friends

K

Alice





KAlice myFriends

Slide28

28

Auth Certs

A CS faculty member can use host H

K

Owner[H]

  KCS faculty 

Bob allows access to his students

K

Bob





K

Bob

myStudents



Can delegate

Cannot

delegate

Alice allows access to her friends

K

Alice





KAlice myFriends



Each auth cert also has

a validity specification (time interval)

an authorization specification (e.g.,H)Slide29

29

Certificate Chain

K

Owner[H]



K

Bob

K

CS

faculty

K

Alice

K

Bob

myStudents

K

Owner[H]





K

CS

faculty



K

CS

faculty

 K

Bob

K

Bob

 KBob myStudents

K

Bob

myStudents

 KAliceSlide30

30

Certificate Chain

K

Owner[H]

  K

CS faculty 

K

CS

faculty



K

Bob

K

Bob



K

Bob

myStudents

K

Bob

myStudents

 KAlice

KOwner[H]



K

AliceSlide31

31

Certificate Chain

K

Owner[H]



K

Bob

K

CS

faculty

K

Alice

K

Bob

myStudents

K

Owner[H]





K

CS

faculty



K

CS

faculty

 K

Bob

K

Bob

 KBob myStudents

K

Bob

myStudents

 KAlice

K

Alice

 K

Alice

myFriends

Does not apply!Slide32

32

Given a resource R and principal K, is K authorized to access R?

Solved by finding a certificate chain that proves that access is permitted (

certificate-chain discovery

) Cubic-time algorithm:

Clarke, Elien, Ellison, Fredette, Morcos, & Rivest [JCS 01]Basic Authorization-Access QuerySlide33

33

Our Story

Prologue

Program analysis via CFL-reachability

Chapter 1Cubic-time algorithm for certificate-chain discovery in SPKI/SDSI

[CEEFMR01]Chapter 2 (Aha!)September 2001: Jha and Reps discuss Clarke et al. paper and see the connection between certificate-chain discovery and model-checking pushdown systems (PDSs)New application for PDS formalism; previouslyPDSs describe the call-return structure of programs

PDS model checking: establish properties of recursive programsSlide34

34

d

e

q:

Unrolled Program = Transition System

b

g

a

c

h

j

f

i

p:

d

e

q:Slide35

35

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

Unrolled Program = ∞-State Transition System

׃

׃

׃

׃

׃

׃

׃

׃

b,

e

cSlide36

36

Pushdown System (PDS)

States:

{

σ1, σ2, σ3, σ4 }Stack symbols:

{ A, B, C, D }

Transition rules:

<

σ

1

, A>



<

σ

2

,

e> <σ1, A> 

<σ2, B> <σ1, A> 

<σ2, B C>

Pushdown automatonwithout an input tapeSlide37

37

Pushdown automaton

without an input tape

Pushdown System (PDS)

States:

{

σ

1

,

σ

2

,

σ

3

,

σ

4

}Stack symbols:

{ A, B, C, D }Transition rules: <σ

1, A>  <σ2, e>

<σ1, A>  <σ2, B> <σ1, A>  <

σ2, B C>

If the state is

σ

1

and thetop of the stack is A, then

pop A transition to state σ2

Slide38

38

Pushdown automaton

without an input tape

Pushdown System (PDS)

States:

{

σ

1

,

σ

2

,

σ

3

,

σ

4

}Stack symbols:

{ A, B, C, D }Transition rules: <σ

1, A>  <σ2, e>

<σ1, A>  <σ2, B> <σ1, A>  <

σ2, B C>

If the state is

σ

1

and thetop of the stack is A, then

pop A transition to state σ2

push B Slide39

39

Pushdown automaton

without an input tape

Pushdown System (PDS)

States:

{

σ

1

,

σ

2

,

σ

3

,

σ

4

}Stack symbols:

{ A, B, C, D }Transition rules: <σ

1, A>  <σ2, e>

<σ1, A>  <σ2, B> <σ1, A>  <

σ2, B C>

If the state is

σ1

and thetop of the stack is A, then pop A

transition to state σ2 push C; then push

B Slide40

40

Rules Define a Transition Relation

<

σ

,A>

 <σ’

,ε>

<

σ

,A>



<

σ

’

,B>

<

σ

,A>



<

σ

’,B C>

σ



A



σ

’





B

σ

’



σ



A

B



C

σ

’



σ



ASlide41

41

Pushdown System (PDS)

Pushdown automaton without an input tape

Mechanism for defining a class of infinite-state transition systems

<σ

, A>  <σ, A A>

<σ,A>

<

σ

,AA>

<

σ

,AAA>

׃

<

σ

,AAAA>Slide42

42

Interprocedural CFG as a PDS

d

e

b

g

a

c

h

j

f

i

p:

q:

<

σ

, a>



<

σ

, b>Slide43

43

Interprocedural CFG as a PDS

d

e

b

g

a

c

h

j

f

i

p:

q:

<

σ

, b>



<

σ

, c>Slide44

44

Interprocedural CFG as a PDS

d

e

b

g

a

c

h

j

f

i

p:

q:

<

σ

, c>



<

σ

, d f>

save return site

on stackSlide45

45

Interprocedural CFG as a PDS

d

e

b

g

a

c

h

j

f

i

p:

q:

<

σ

, d>



<

σ

, e>Slide46

46

Interprocedural CFG as a PDS

d

e

b

g

a

c

h

j

f

i

p:

q:

<

σ

, e>



<

σ

,

ε

>

uncovers most

recent call siteSlide47

47

Interprocedural CFG as a PDS

d

e

b

g

a

c

h

j

f

i

p:

q:

<

σ

, f>



<

σ

, g>Slide48

48

Interprocedural CFG as a PDS

d

e

b

g

a

c

h

j

f

i

p:

q:

<

σ

, g>



<

σ

, h>Slide49

49

Interprocedural CFG as a PDS

d

e

b

g

a

c

h

j

f

i

p:

q:

<

σ

, h>



<

σ

, d i>

save return site

on stackSlide50

50

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

Unrolled Program =

∞

Transition System

׃

׃

׃

׃

׃

׃

׃

׃

<

σ

, f

e c

>

<

σ

, b

c c

>Slide51

51

PDS Terminology

Configuration

<

σ, f

e c>

c



c’

(transition relation)

c’

follows from

c

by a transition rule

c

predecessor of

c’ c’ successor

of cc0  c1

 . . .  cn (a run)

c * c’ reflexive transitive closure of



σ

,

f

e

cSlide52

52

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

A Run

׃

׃

׃

׃

׃

׃

׃

׃

<

σ

,a>



<

σ

,b>

<

σ

,ac>

<

σ

,bc>

<

σ

,acc>

<

σ

,fcc>

<

σ

,cc>

<

σ

,dc>

<

σ

,aec>

<

σ

,fec>Slide53

53

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

A Run

׃

׃

׃

׃

׃

׃

׃

׃Slide54

54

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

a

b

d

f

c

e

p:

A Run

׃

׃

׃

׃

׃

׃

׃

׃Slide55

55

PDS Terminology

Configuration

<

σ, B A C>

c  c’

(transition relation)

c’

follows from

c

by a transition rule

c

predecessor

of

c’

c’ successor of c

c0  c1  . . . 

cn (a run)

c * c’ reflexive transitive closure of 

σ

,

B

A

CSlide56

56

PDS Terminology

c



c’

(transition relation)

c’ follows from c by a transition rule c

predecessor

of

c’

c’

successor

of

c

c

0



c1  . . .  c

n (a run)

c * c’ reflexive transitive closure of 

K

Bob

,

myStudents

Configuration

<K

Bob

,

myStudents >Slide57

57

Pre*(S)

Basic Authorization-Access Query:

<

K

Owner[H]

,



>



Pre*({<K,

□

>, <K,

■

>})?

S = {<K,

□

>,

<K,

■

>}

<K

Owner[H]

,



>Slide58

58

The set of configurations pre*(S) can be

infinite

Example

<σ,A>  <σ

, e >pre* ( {<σ,A>}) = { σ Ai | i ≥ 1 }Solution in the PDS literature: Represent a set of configurations

with an automatonRepresentation Issue

<

σ

,A>

<

σ

,AA>

<

σ

,

e

>

<

σ

,AAA>

...Slide59

59

׃

׃

M

׃

׃

pre*(M)Slide60

60

׃

׃

׃

׃

M

post*(M)Slide61

61

{<K

Alice

, >,<K

Alice, >}

KCS

K

Owner[H]

K

Alice

K

Bob

{ , }Slide62

62

What Does the Automaton Represent?

A set of configurations:

<K, a

1 … am > is in the set if there is a path

Initial automaton represents {<KAlice, >,<KAlice, >}

K

K

. . .

a

1

a

2

a

m

{ , }

K

CS

K

Owner[H]

K

Alice

K

BobSlide63

63

From M to Pre*(M)

<

σ

,A>

 <σ1

,A1 . . . Am>



A

1

.

.

. A

m

σ

1

σ



A

σ

1

A

1



A

m

...

σ

ASlide64

64

Pre*({<K

Alice

, >, <K

Alice, >})

KCS

K

Owner[H]

K

Alice

K

Bob

{ , }

faculty

myStudents

<K

CS

,faculty >



<K

Bob

,

e

>

<K

Bob

, myStudents >



<K

Alice

,

e

>Slide65

65

Pre*({<K

Alice

, >, <K

Alice, >})

KCS

K

Owner[H]

K

Alice

K

Bob

{ , }

faculty

myStudents

<K

Bob

, >



<K

Bob

, myStudents

■

>

<

K

Owner[H]

,



>



<K

CS

, faculty



>Slide66

66

Pre*({<K

Alice

, >, <K

Alice, >})

KCS

K

Owner[H]

K

Alice

K

Bob

{ , }

faculty

myStudents

<

K

Owner[H]

,



>



Pre*({<K

Alice

,

□

>, <K

Alice

,

■

>})Slide67

67

Time and Space Complexity

n

K

: number of principals|C|: sum of the lengths of the right-hand sides of the certs in CPre* Time complexity: O(n

K |C|)Space complexity: O(nK |C|)Post*Time and space complexity: O(nk |C|2)

2Slide68

68

Our Story

Chapter 3

(Bonus)

Applying model-checking techniques lets you answer other questions about SPKI/SDSI certificate sets [JR02, JR04]

What are the properties of this

security policy? What would happen if the policy were changed?Slide69

69

Certificate-Set Analysis

Generalized authorization-access query

Given a resource R and name N (not necessarily a principal), is N authorized to access R?

Name N = K A

1 … Am Is <KOwner[R], > in pre*({ K A1 … A

m })?Slide70

70

Certificate-Set Analysis

Expiration vulnerability query

What resources will principal K be prevented from accessing if certificate set C’ expires?

R1 = pre*[C] ({<K,

>,<K, >}) R2 = pre*[C-C’] ({<K, >, <K, 

>}) {KOwner[R] | <KOwner[R], > is in R1 – R2 }Slide71

71

Certificate-Set-Analysis

Many more — see

[JR04]

Main message:

Algorithms for model checking pushdown systems can be exploited to solve several certificate-set-analysis problemsSlide72

72

Our Story

Chapter 3

(Bonus)

Applying model-checking techniques lets you answer other questions about SPKI/SDSI certificate sets [JR02, JR04]

Chapter 4 (Bummer)Actually, SPKI/SDSI  PDSWhat about issues such as recency, trust, and expiration?From PDSs to

weighted PDSs [SJRS03]Slide73

73

Weighted Pushdown System (WPDS)

[BET03], [SJRS03]

States:

{

σ1, σ2, σ3, σ4 }

Stack symbols:

{ A, B, C, D }

Transition rules:

<

σ

1

, A>



<

σ

2

, e> <σ1, A>

 <σ2, B> <σ1, A>

 <σ2, B C>

w

1

w

2

w3Slide74

74

<K

Insurer

, □>

 <KH, patient ■> <K

H

, patient>



<K

AIDS

, patient>

<K

H

, patient>



<K

IM, patient>

<KAIDS, patient>  <KAlice

, e> <KIM, patient>  <KAlice,

e>Privacy using a Weighted PDS

I

S

I

S

I

SISlide75

75

Privacy using a Weighted PDS

<K

Insurer

,

□>

<K

H

, patient

■

>

I

<K

IM

, patient

■

>

I

<K

Alice

,

■

>

I

<K

H

, patient

■>

I

<K

AIDS, patient ■>

S

S

S



I = I



S

I

I



S



S = S

I



I



I = ISlide76

76

Idempotent Semiring (D,



,

, 0, 1)[= Join Semilattice (D, 

, ..., , ...)]

a  0 = aa  b = b  a

a  (b  c) = (a  b)  c

a

 a = a

a

 1 = a

a  (b  c) = (a  b)  c

a  (b  c) = (a  b)  (a  c)

(a  b)  c = (a  c)  (b  c)

a

 0 = 0  a =

0

a

 b iff a

 b = b

 =

Slide77

77

a

 b iff a

 b = b

 =



D





0 1

Validity

N

{

}

max min -

 +

Privacy {S,I}

S



I=I SI=S S IIdempotent Semiring (D, , , 0, 1)

[= Join Semilattice (D, , ..., , ...)]Slide78

78

Rule

Validity

KOwner[D]  

KAlice  10KOwner[D]  

KAlice  20Validity using a Weighted PDS

Request

Does

K

Alice

have the right to access D?

If so, what is the cert chain with the

largest

validity value?Slide79

79

Validity using a Weighted PDS

<

K

Owner[D], 

>

max(10, 20) = 20

<K

Alice

,

■

>

10

20



=

maxSlide80

80

Rule

Authorization

KOwner[D] 

 KAlice  {read}KOwner[D]  

KAlice  {write}“Auth Cert Reduction is Incomplete”[LM03]

Request

Does

K

Alice

have {read,write} access to D?

RFC2693: “Remove all certificates whose

authorization is not



{read,write}

”

NoSlide81

81

Authorization using a Weighted PDS

<

K

Owner[D], 

>

{read}



{write} = {read, write}

<K

Alice

,

■

>

{read}

{write}



=



Cert chain?!Slide82

82

<

K

Owner[D]

,  >

<K

Alice

,

■

>

Authorization using a Weighted PDS

<

K

Owner[D]

,



>

{read}



{write} = {read, write}

{read}

{write}



=



Cert tree!Slide83

83

Rule

Authorization

KOwner[D] 

 KAlice  {read}KOwner[D] 

 KAlice  {write}Authorization + Validity

Validity

10

20





0 1

Authorization

 



{rlidwka}

Validity max min -

 +



{read,write}, 20



?

{read:10,write:20}Slide84

84

Authorization + Validity

<

K

Owner[D], 

>

{read:10}



{write:20} = {read:10,write:20}

{read:10}

{write:20}

<K

Alice

,

■

> Slide85

85

Authorization + Validity

<

K

Owner[D], 

>

{r:10,w:15,l:10}

 {

r:5,w:20,k:5} = {r:10,w:20,l:10,k:5}

<K

Alice

,

■

>

{r:10,w:15,l:10}

{r:5,w:20,k:5}Slide86

86

From M to Pre*(M)

σ



<

σ

,A>



<

σ

1

,A

1

.

.

. A

m

>

w

V

 (

w



X)

A

A

1

.

.

. A

m

σ

1

X

w

σ

1

A

1



A

m

...

...

...

X

σ

k

V

σ



A

σ

k



w



X

Slide87

87

Our Story

Chapter 3

(Bonus)

Applying model-checking techniques lets you answer other questions about SPKI/SDSI certificate sets [JR02, JR04]

Chapter 4 (Bummer)Actually, SPKI/SDSI  PDSWhat about issues such as recency, trust, and expiration?From PDSs to

weighted PDSs [SJRS03]Chapter 5 (Ah!)WPDSs provide a new framework for static program analysis that is strictly richer than 35 years worth of previous approaches [RSJ03, RSJM05]Slide88

88

a

 b iff a

 b = b

 =



D





0 1

Validity

N

{

}

max min -

 +

Privacy {S,I}

S

I=I SI=S S IAuth. (

{rlidwka})    {rlidwka}Dataflow D

   id

analysis

Idempotent Semiring (D, , , 0, 1)[= Join Semilattice (D, 

, ..., , ...)]Slide89

89

WPDSs: A More Powerful

Program-Analysis Framework

Example: better debugging primitive

at a breakpoint at n, retrieve the stack (say S)stack-constrained slicing:

“What are the program elements that could have affected the values used at n, given that we reached n with stack S?”Slide90

90

void p() {

if (...) {

x = x + 1;

p(); // p_calls_p1

x = x - 1; } if (...) {

x = x - 1; p(); // p_calls_p2 x = x + 1; } return;

}

An Expanded Set of Queries

int x;

void main() {

x = 5;

p(); //main_calls_p

return;

}

5

<x

,

enter

p

p_calls_p2 p_calls_p1 main_calls_p>Slide91

91

An Expanded Set of Queries

main_calls_p

enter

p

p_calls_p1

p_calls_p2

x = 5

x = 5

x = x + 1

x = x - 1

x = 5

x = x + 1

x = x - 1

p_calls_p1

main_calls_p

enter

p

p_calls_p1

p_calls_p2

x = 5

+1

-1

p_calls_p1

+1

-1

p_calls_p1

+1

-1

p_calls_p2

+1

-1Slide92

92

An Expanded Set of Queries

int x;

void main() {

x = 5;

p(); //main_calls_p return;}

void p() { if (...) { x = x + 1; p(); // p_calls_p1

x = x - 1;

}

if (...) {

x = x - 1;

p(); // p_calls_p2

x = x + 1;

}

return;

}

5

<x

,

enter

p

(p_calls_p2 p_calls_p1)* main_calls_p>Slide93

93

An Expanded Set of Queries

int x;

void main() {

x = 5;

p(); //main_calls_p return;}

void p() { if (...) { x = x + 1; p(); // p_calls_p1

x = x - 1;

}

if (...) {

x = x - 1;

p(); // p_calls_p2

x = x + 1;

}

return;

}

5  4 =

<x

,

enter

p

(p_calls_p2 + p_calls_p1)* main_calls_p>

5

4Slide94

94

An Expanded Set of Queries

int x;

void main() {

x = 5;

p(); //main_calls_p return;}

void p() { if (...) { x = x + 1; p(); // p_calls_p1

x = x - 1;

}

if (...) {

x = x - 1;

p(); // p_calls_p2

x = x + 1;

}

return;

}

5  4 = 

<x

,

enter

p

Σ

*>

5

4

any

stack configurationSlide95

95

An Expanded Set of Queries

L

1

=

<x,

enterp p_calls_p2 p_calls_p1 main_calls_p>L2 = <x,

enter

p

(p_calls_p2 p_calls_p1)* main_calls_p>

L

3

=

<x, enter

p

(p_calls_p2 + p_calls_p1)* main_calls_p>

L

4

=

<x, enter

p

Σ*>

JOVP’(L) = 

pfp(V0)

c  L, p

 MatchedPathsTo[

c]

JOVP(n)

= 

pfp(V0)

p  MatchedPathsTo[n]

JOVP

’(L3) = JOVP’(L4

) = JOVP(enterp)Slide96

96

So What? Who Cares? [Yawn]

Check properties of programs using model checking

SLAM

[Ball & Rajamani 00]MOPS [Chen & Wagner 02]

“Metacompliation” [Engler et al.]In essence, all are using PDSsPDS  WPDSMore powerful formalism for modeling program behaviors:How does the program transform the data?Slide97

97

(GL,4)

(GL,12)

Region for

main

Global Region

;

ebx



variable i

;

ecx

 variable

p

sub esp, 40 ;adjust stack

lea edx, [esp+8] ;

mov [8], edx ;pArray2=&a[2]

lea ecx, [esp] ;p=&a[0]

mov edx, [4] ;

loc_9:

mov [ecx], edx ;*p=arrVal

add ecx, 4 ;p++

inc ebx ;i++

cmp ebx, 10 ;i<10?

jl short loc_9 ;

mov edi, [8] ;

mov eax, [edi] ;return *pArray2

add esp, 40

retn

(main, -40)

(main, 0)

(GL,8)

(main, -32)

main_40

mem_4

mem_8

1

ecx

 (Ø, [-40,

∞

])

main_32

ret_main

Corrupts the stack?

1

Widenening in Independent-Attribute DomainsSlide98

98

Affine-Relation Analysis

Value sets are an

independent-attribute domain

no relations on the values of different variablesImprecise results, e.g.,

upper bound for ebx from “cmp ebx,10” (i < 10?)but no upper bound for ecx at loc_9Improved by discovering affine relations

identifies a loop’s induction variables

. . .

loc_9:

mov [ecx], edx ;*p=arrVal

add ecx, 4 ;p++

inc ebx ;i++

cmp ebx, 10 ;i<10?

jl short loc_9 ;

. . .Slide99

99

Affine-Relation Analysis

Obtain affine relations via static analysis

Propagate loop-bound info from loop-control registers to other variables

e.g., at loc_9

ecx = esp + (4

ebx), ebx = ([0,9],), esp =

(,-40)

 ecx =

(,-40) + 4



([0,9],

)

 ecx =

(,4



[-10,-1])



upper bound for ecx at loc_9

. . .

loc_9:

mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10?

jl short loc_9 ;. . .Slide100

100

Affine-Relation Analysis

Affine relation: a

0

+

i1..n(ai xi

) = 0x1, x2, …, xn : variablesa0, a1

, …, a

n

: int constants

more general than

constant propagation

induction-variable analysis

ARA for modular arithmetic:

(Muller-Olm & Seidl [ESOP 05])

Reformulated using WPDSs

Application

determine affine relations

for x86 registers

propagate loop-bound info from loop-control registers to other variablesSlide101

101

(GL,4)

(GL,12)

Region for

main

Global Region

;

ebx



variable i

;

ecx

 variable

p

sub esp, 40 ;adjust stack

lea edx, [esp+8] ;

mov [8], edx ;pArray2=&a[2]

lea ecx, [esp] ;p=&a[0]

mov edx, [4] ;

loc_9:

mov [ecx], edx ;*p=arrVal

add ecx, 4 ;p++

inc ebx ;i++

cmp ebx, 10 ;i<10?

jl short loc_9 ;

mov edi, [8] ;

mov eax, [edi] ;return *pArray2

add esp, 40

retn

(main, -40)

(main, 0)

(GL,8)

(main, -32)

main_40

mem_4

mem_8

1

ecx

 (



, [-40,-4])

main_32

ret_main

1

Widenening in Independent-Attribute Domains

No corruption of the stack!Slide102

102

Our Story Continues . . .

Traditional trust-management models provide centralized solutions

require certificates to be sent to a central site for certificate-chain discovery

not acceptable in practice

solution: distributed WPDS solver [JSWR06, Kidd unpublished]useful in program analysis, tooPolyhedral analysis?“widening weights” [Gopan thesis]

Concurrent PDS model checker [CCKRT06]Analysis engine for model checking concurrent programsUndecidable in general; uses semi-decision procedure [BET03]Context-bounded model checkingAnalyze a concurrent program for a bounded number of context switches [QR05], [LTKR08]Slide103

103

Concurrent PDS Model Checking

CPDS: Analysis engine for model checking concurrent programs

S. Chaki, E. Clarke, N. Kidd, T. Reps, and T. Touili, Verifying concurrent message-passing C programs with recursive calls, TACAS, 2006.

CPDS

Magic + an appropriate WPDSFound a real bug in a Bluetooth driverSlide104

104

CPDS Analysis

of Bluetooth Driver (I)

Model of Bluetooth driver from Windows NT

Reentrant multi-threaded library

Has known bug, found by KISS [QW04]2 handler processeseach receives one request ― A: RUN; B: STOP2 context switches: A  B  A

Modeled with a CPDSBuggy run performs 8 actionsFound in 5 seconds, using 334 MBSlide105

105

“Corrected” version of model obtained from S. Qadeer (Microsoft Research)

Challenge: Could we establish that it was correct?

Answers obtained by CPDS model checking:

For 2 processes, correctFor 3 processes, incorrect

Buggy run performs 14 actionsFound in 20 seconds, using 391 MBCPDS Analysis

of Bluetooth Driver (II)Slide106

106

What was the bug?

3 handler processes; 1 request each

A

1: RUNA2

: RUNB: STOP4 context switches:A1  B

 A2  B 

A

1

CPDS Analysis

of Bluetooth Driver (III)

counter = 2

finish;

counter--



release

resources

counter--Slide107

107

Corrected, “corrected” version

Answers obtained by CPDS model checking:

For 2 processes, correct

For 3 processes, correctFor 4 processes, correctFor 5 processes, memory exhausted

[More efficient version being developed]CPDS Analysisof Bluetooth Driver (IV)Slide108

108

Context-Bounded Analysis

[QR05]

program models: predicate abstraction

explore state space for up to k context switchesuse post* to find reachable configurationssplit post* automaton according to the global states

for each automaton, perform context switch[LTKR08]program models: WPDSscreate weighted transducer T that captures the (weighted) reachability relationTk = compose T k times with itselfapply Tk to initial stateSlide109

109

Conclusion

Built a bridge between authorization problems for distributed systems and static program analysis

Message: use model-checking techniques for the reachability problems that arise in authorization

Similar to what happened 25 years ago for HW verification

Showed how to fix a flaw in SPKI/SDSIcert chain  cert treeBeneficial side effect: improved program-analysis methodswe use WPDSs extensively in our tools to analyze stripped x86 executables

[LRB05, B07]Cross-fertilization from working on both problems togetherTry them youself: Google for “WPDS++” or “WALi”Slide110

110

Questions?Slide111

111Slide112

112

Related Work

SPKI/SDSI

Clarke, Elien, Ellison, Fredette, Morcos, & Rivest [J. Comp. Sec. 01]

Pushdown systems

Bouajjani, Esparza, & Maler [Concur 97]Finkel, Willems, & Wolper [ENTCS 97]Esparza, Hansel, Rossmanith, & Schwoon [CAV 00]Bouajjani, Esparza, & Touili [POPL 03]Weighted-hypergraph problemsKnuth [IPL 77]

Grammar flow analysis: Möncke & Wilhelm [WAGA 91]Ramalingam thesis [LNCS #1089]Ramalingam & Reps [J. Alg 96]Interprocedural dataflow analysis[Cousot & Cousot 78], [Sharir & Pnueli 81], Knoop & Steffen 92]IDE framework: Sagiv, Reps, & Horwitz [TCS 96]Slide113

113

Error Projection

[SAS 07]

int numUnits;

int level;

void getUnit() {[1] bool canEnter = F;[2] if (numUnits == 0) {[3] if (level > 10) {[4] NewUnit();[5] numUnits = 1;[6] canEnter = T;

} } else[7] canEnter = T;[8] if (canEnter)[9] if (numUnits == 0)[10] assert(F);

else

[11] gotUnit();

}

void getUnit(){

[1] . . .

[2] if (?) {

[3] if (?) {

[4] . . .

[5] . . .

[6] . . .

}

} else

[7] . . .

[8] if (?)

[9] if (?)[10]

assert(F); else[11] . . . }

bool nU0;

void getUnit(){

[1] . . .

[2] if (nU0) {

[3] if (?) {[4] . . .[5] nU0 = F;

[6] . . . } } else[7] . . .[8] if (?)[9] if (nU0)[10] assert(F);

else[11] . . . }

bool nU0;

void getUnit(){

[1] bool cE = F;

[2] if (nU0) {

[3] if (?) {

[4] . . .[5] nU0 = F;[6] cE = T; } } else[7] cE = T;

[8] if (cE)[9] if (nU0)[10] assert(F); else[11] . . .

}Slide114

114

Other Contributions

Differential propagation

[SCP 05]

Weight domain + difference operatorSimultaneous forward & backward analysisError projection

[SAS 07]Extended WPDS [CAV 05]Extension for handling local variablesNon-saturation-based pre*/post* algs. [CAV06]Distributed algorithms for WPDS problemsImplemented systems (WPDS++, WALi)Non-trivial applications in a tool for analyzing stripped executables