Thomas Reps 12 Akash Lal 1 and Nick Kidd 1 1 Univ of Wisconsin 2 GrammaTech Inc 2 Static Program Analysis Tool for building correct reliable efficient and secure software What states can my program reach ID: 654158
Download Presentation The PPT/PDF document "Program Analysis using Weighted Pushdown..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Program Analysisusing Weighted Pushdown Systems
Thomas Reps,
1,2
Akash Lal,
1
and Nick Kidd
1
1
Univ. of Wisconsin
2
GrammaTech, Inc.Slide2
2
Static Program Analysis
Tool for building correct, reliable, efficient, and secure software
What states can my program reach?
Testing: run on specific (or random) inputsStatic analysis: run “in the aggregate” on descriptors of multiple states
Can e ever be out of bounds?
. . . a[e] . . .Slide3
3
Static Program Analysis
Tool for building correct, reliable, efficient, and secure software
What states can my program reach?
Testing: run on specific (or random) inputsStatic analysis: run “in the aggregate” on descriptors of multiple states
Does the program conform to policy P?Slide4
4
Sidestepping Undecidability
׃
׃
Control Flow
Graph (CFG)
Sets of States
f(SS)
SS
f
Descriptors of
State Sets
d
f
#
f
#
(d)
fSlide5
5
Intra
procedural Analysis
enter
n
V
0
JOP(n) =
pf
p
(V
0
)
p
PathsTo[n]
pf
p
= f
k
f
k-1
…
f
2
f
1
f
1
f
2
f
k-1
f
k
#
#
#
#
#
#
#
#Slide6
6
Sidestepping Undecidability
Universe of States
Reachable States
Bad States
Overapproximate the reachable states
False positive!Slide7
7
Rest of the Talk: A Story
From CFL-Reachability to Weighted Pushdown Systems
T. Reps, S. Jha, S. Schwoon, N. Kidd, A. Lal, D. Melski, T. Touili, H. Wang, G. Balakrishnan,
D. Gopan, J. Lim, S. Chaki, E. Clarke, S. StubblebinePrologueProgram analysis via CFL-reachabilitySlide8
8
Our Story’s Theme:
When the World Smiles on You
Aha!
My problem P can be cast in formalism F, and I can use a known algorithm A
FBonus Can sometimes do more, now that you know that P is an F problemBummer
I want to do “something” that F doesn’t supportAh! Extend F to do “something”
Write new paper, which is interesting because of the connection to P
Discover that the extension has applications and/or applications in the original context (i.e., F problems)Slide9
9
s
t
(
s
t
s
t
Ordinary Graph Reachability
(
e
[
e
]
e
[
e
]
]
e
)
matched
| e
|
[
matched
]
|
(
matched
)
|
matched
matched
CFL-Reachability
s
e
e
e
e
e
e
[
[
[
t
)
]
]
]Slide10
10
CFL-Reachability
via Dynamic Programming
Grammar
Graph
B
C
A
A
B
C
O(V
3
) [Yannakakis 90]
o(V
3
) [Chaudhuri 08]Slide11
11
x = 3
p(x,y)
return from p
printf(y)
start main
exit main
if
. . .
b = a
printf(b)
p(a,b)
return from p
exit p
start p(a,b)
]
(
(
)Slide12
12
Inter
procedural Analysis
JOVP(n) =
pfp(V0)
p
MatchedPathsTo[n]
start
n
V
0
ret
(
)
f
1
f
2
f
k-1
f
k
f
3
f
4
f
5
f
k-2
f
k-3
call
q
enter
q
exit
q
#
#
#
#
#
#
#
#
#Slide13
13
Representing Distributive Functions
[RHS95]
Identity Function
Constant Function
a
b
c
a
b
c
f({
a
,
b
}) = {
a
,
b
}
f =
λ
V.V
f({
a
,
b
}) = {
b
}
f =
λ
V.
{
b
}
Slide14
14
“Gen/Kill” Function
Non-“Gen/Kill” Function
a
b
c
a
b
c
Representing Distributive Functions
[RHS95]
f({
a
,
b
}) = {
a
,
c
}
f({
a
,
b
}) = {
a
,
b
}
f =
λ
V.
(
V
{
b
})
{
c
}
f =
λ
V.
if
a
V
then
V
{
b
}
else
V
{
b
}
Slide15
15
x = 3
p(x,y)
return from p
printf(y)
start main
exit main
start p(a,b)
if
. . .
b = a
p(a,b)
return from p
printf(b)
exit p
x
y
a
b
Slide16
16
x = 3
p(x,y)
return from p
printf(y)
start main
exit main
start p(a,b)
if
. . .
b = a
p(a,b)
return from p
printf(b)
exit p
x
y
a
b
Might y be
uninitialized
here?
YES!
(
)
Might b be
uninitialized
here?
NO!Slide17
17
CFL-Reachability Advantages
Intuitive
good conceptual model for understanding many dataflow-analysis results
Linear-time algorithms for some variantsSlide18
18
Unifying Conceptual Model
for Dataflow-Analysis Literature
Linear-time gen-kill
[Hecht 76], [Kou 77]Path-constrained DFA [Holley & Rosen 81]
Linear-time GMOD [Cooper & Kennedy 88]Flow-sensitive MOD [Callahan 88]Linear-time interprocedural gen-kill [Knoop & Steffen 93]Linear-time bidirectional gen-kill [Dhamdhere 94]Relationship to interprocedural DFA [Sharir & Pneuli 81], [Knoop & Steffen 92]Slide19
19
. . . As Well As . . .
Flow-insensitive points-to analysis
Model checking of recursive hierarchical finite-state machines
Analysis of attribute grammars
Security of crypto-based protocols for distributed systems [Dolev, Even, & Karp 83]Formal-language problemsCFL-recognition (given G and , is
L(G)?)2DPDA- and 2NPDA-simulationGiven M and , is
L(M)?
String-matching problemsSlide20
20
Rest of the Talk: A Story
From CFL-Reachability to Weighted Pushdown Systems
T. Reps, S. Jha, S. Schwoon, N. Kidd, A. Lal, D. Melski, T. Touili, H. Wang, G. Balakrishnan,
D. Gopan, J. Lim, S. Chaki, E. Clarke, S. StubblebineSlide21
21
Our Story
Prologue
Program analysis via CFL-reachability
Chapter 1Cubic-time algorithm for certificate-chain discovery in SPKI/SDSI:
D. Clarke, J.-E. Elien, C.M. Ellison, M. Fredette, A. Morcos, and R.L. Rivest, Certificate chain discovery in SPKI/SDSI, JCS, 2001Slide22
22
Authorization to Use Shared Resources
Traditionally, use access control lists (ACLs)
Associate permissions with objects
E.g., AFS permissions for directory D
reps rlidwkatouili rlidwkreps:students rlSlide23
23
Trust Management
Express security policy in a formal language
Digitally signed statements
Bob: Joe is my student
[C1]Alice: All of Bob’s students can access host H [C2]Find a proof of authorization“certificate-chain discovery”Joe provides “proof of authorization” to Alice C1 + C2Proof is checked and Joe is granted access
“compliance checking”Examples: Keynote [Blaze et al.], Referee [Chu et al.], RT* [Li and Mitchell], SD3 [Jim], Binder[DeTreville], …Slide24
24
SPKI
Ellison, Frantz, Thomas, & Ylonen
SDSI
Lampson and RivestSPKI/SDSIEllison, Frantz, Lampson, Rivest, Thomas, & Ylonen
Local name spacesreps studentreps student spouseDelegationSPKI/SDSISlide25
25
SPKI/SDSI
Principals (Public Keys)
K
Bob, KAlice Individuals
KCS CS Department KOwner[R]
Owner of resource R
Local Names
K
CS
faculty
K
Bob
myStudents
Extended Names
K
Bob
myStudents SpouseSlide26
26
Name Certs
Bob is a CS faculty member
K
CS
faculty KBob
Alice is a student of Bob’s
K
Bob
myStudents
K
Alice
Alice’s friends . . .
K
Alice
myFriends
K
Joe KAlice myFriends
KMary enemies KAlice myFriends KMary enemies spouse
Each name cert also has a
validity specification
(usually a time interval)Slide27
27
Auth Certs
A CS faculty member can use host H
K
Owner[H]
KCS faculty
Bob allows access to his students
K
Bob
K
Bob
myStudents
Can delegate
Cannot
delegate
Alice allows access to her friends
K
Alice
KAlice myFriends
Slide28
28
Auth Certs
A CS faculty member can use host H
K
Owner[H]
KCS faculty
Bob allows access to his students
K
Bob
K
Bob
myStudents
Can delegate
Cannot
delegate
Alice allows access to her friends
K
Alice
KAlice myFriends
Each auth cert also has
a validity specification (time interval)
an authorization specification (e.g.,H)Slide29
29
Certificate Chain
K
Owner[H]
K
Bob
K
CS
faculty
K
Alice
K
Bob
myStudents
K
Owner[H]
K
CS
faculty
K
CS
faculty
K
Bob
K
Bob
KBob myStudents
K
Bob
myStudents
KAliceSlide30
30
Certificate Chain
K
Owner[H]
K
CS faculty
K
CS
faculty
K
Bob
K
Bob
K
Bob
myStudents
K
Bob
myStudents
KAlice
KOwner[H]
K
AliceSlide31
31
Certificate Chain
K
Owner[H]
K
Bob
K
CS
faculty
K
Alice
K
Bob
myStudents
K
Owner[H]
K
CS
faculty
K
CS
faculty
K
Bob
K
Bob
KBob myStudents
K
Bob
myStudents
KAlice
K
Alice
K
Alice
myFriends
Does not apply!Slide32
32
Given a resource R and principal K, is K authorized to access R?
Solved by finding a certificate chain that proves that access is permitted (
certificate-chain discovery
) Cubic-time algorithm:
Clarke, Elien, Ellison, Fredette, Morcos, & Rivest [JCS 01]Basic Authorization-Access QuerySlide33
33
Our Story
Prologue
Program analysis via CFL-reachability
Chapter 1Cubic-time algorithm for certificate-chain discovery in SPKI/SDSI
[CEEFMR01]Chapter 2 (Aha!)September 2001: Jha and Reps discuss Clarke et al. paper and see the connection between certificate-chain discovery and model-checking pushdown systems (PDSs)New application for PDS formalism; previouslyPDSs describe the call-return structure of programs
PDS model checking: establish properties of recursive programsSlide34
34
d
e
q:
Unrolled Program = Transition System
b
g
a
c
h
j
f
i
p:
d
e
q:Slide35
35
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
Unrolled Program = ∞-State Transition System
׃
׃
׃
׃
׃
׃
׃
׃
b,
e
cSlide36
36
Pushdown System (PDS)
States:
{
σ1, σ2, σ3, σ4 }Stack symbols:
{ A, B, C, D }
Transition rules:
<
σ
1
, A>
<
σ
2
,
e> <σ1, A>
<σ2, B> <σ1, A>
<σ2, B C>
Pushdown automatonwithout an input tapeSlide37
37
Pushdown automaton
without an input tape
Pushdown System (PDS)
States:
{
σ
1
,
σ
2
,
σ
3
,
σ
4
}Stack symbols:
{ A, B, C, D }Transition rules: <σ
1, A> <σ2, e>
<σ1, A> <σ2, B> <σ1, A> <
σ2, B C>
If the state is
σ
1
and thetop of the stack is A, then
pop A transition to state σ2
Slide38
38
Pushdown automaton
without an input tape
Pushdown System (PDS)
States:
{
σ
1
,
σ
2
,
σ
3
,
σ
4
}Stack symbols:
{ A, B, C, D }Transition rules: <σ
1, A> <σ2, e>
<σ1, A> <σ2, B> <σ1, A> <
σ2, B C>
If the state is
σ
1
and thetop of the stack is A, then
pop A transition to state σ2
push B Slide39
39
Pushdown automaton
without an input tape
Pushdown System (PDS)
States:
{
σ
1
,
σ
2
,
σ
3
,
σ
4
}Stack symbols:
{ A, B, C, D }Transition rules: <σ
1, A> <σ2, e>
<σ1, A> <σ2, B> <σ1, A> <
σ2, B C>
If the state is
σ1
and thetop of the stack is A, then pop A
transition to state σ2 push C; then push
B Slide40
40
Rules Define a Transition Relation
<
σ
,A>
<σ’
,ε>
<
σ
,A>
<
σ
’
,B>
<
σ
,A>
<
σ
’,B C>
σ
A
σ
’
B
σ
’
σ
A
B
C
σ
’
σ
ASlide41
41
Pushdown System (PDS)
Pushdown automaton without an input tape
Mechanism for defining a class of infinite-state transition systems
<σ
, A> <σ, A A>
<σ,A>
<
σ
,AA>
<
σ
,AAA>
׃
<
σ
,AAAA>Slide42
42
Interprocedural CFG as a PDS
d
e
b
g
a
c
h
j
f
i
p:
q:
<
σ
, a>
<
σ
, b>Slide43
43
Interprocedural CFG as a PDS
d
e
b
g
a
c
h
j
f
i
p:
q:
<
σ
, b>
<
σ
, c>Slide44
44
Interprocedural CFG as a PDS
d
e
b
g
a
c
h
j
f
i
p:
q:
<
σ
, c>
<
σ
, d f>
save return site
on stackSlide45
45
Interprocedural CFG as a PDS
d
e
b
g
a
c
h
j
f
i
p:
q:
<
σ
, d>
<
σ
, e>Slide46
46
Interprocedural CFG as a PDS
d
e
b
g
a
c
h
j
f
i
p:
q:
<
σ
, e>
<
σ
,
ε
>
uncovers most
recent call siteSlide47
47
Interprocedural CFG as a PDS
d
e
b
g
a
c
h
j
f
i
p:
q:
<
σ
, f>
<
σ
, g>Slide48
48
Interprocedural CFG as a PDS
d
e
b
g
a
c
h
j
f
i
p:
q:
<
σ
, g>
<
σ
, h>Slide49
49
Interprocedural CFG as a PDS
d
e
b
g
a
c
h
j
f
i
p:
q:
<
σ
, h>
<
σ
, d i>
save return site
on stackSlide50
50
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
Unrolled Program =
∞
Transition System
׃
׃
׃
׃
׃
׃
׃
׃
<
σ
, f
e c
>
<
σ
, b
c c
>Slide51
51
PDS Terminology
Configuration
<
σ, f
e c>
c
c’
(transition relation)
c’
follows from
c
by a transition rule
c
predecessor of
c’ c’ successor
of cc0 c1
. . . cn (a run)
c * c’ reflexive transitive closure of
σ
,
f
e
cSlide52
52
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
A Run
׃
׃
׃
׃
׃
׃
׃
׃
<
σ
,a>
<
σ
,b>
<
σ
,ac>
<
σ
,bc>
<
σ
,acc>
<
σ
,fcc>
<
σ
,cc>
<
σ
,dc>
<
σ
,aec>
<
σ
,fec>Slide53
53
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
A Run
׃
׃
׃
׃
׃
׃
׃
׃Slide54
54
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
a
b
d
f
c
e
p:
A Run
׃
׃
׃
׃
׃
׃
׃
׃Slide55
55
PDS Terminology
Configuration
<
σ, B A C>
c c’
(transition relation)
c’
follows from
c
by a transition rule
c
predecessor
of
c’
c’ successor of c
c0 c1 . . .
cn (a run)
c * c’ reflexive transitive closure of
σ
,
B
A
CSlide56
56
PDS Terminology
c
c’
(transition relation)
c’ follows from c by a transition rule c
predecessor
of
c’
c’
successor
of
c
c
0
c1 . . . c
n (a run)
c * c’ reflexive transitive closure of
K
Bob
,
myStudents
Configuration
<K
Bob
,
myStudents >Slide57
57
Pre*(S)
Basic Authorization-Access Query:
<
K
Owner[H]
,
>
Pre*({<K,
□
>, <K,
■
>})?
S = {<K,
□
>,
<K,
■
>}
<K
Owner[H]
,
>Slide58
58
The set of configurations pre*(S) can be
infinite
Example
<σ,A> <σ
, e >pre* ( {<σ,A>}) = { σ Ai | i ≥ 1 }Solution in the PDS literature: Represent a set of configurations
with an automatonRepresentation Issue
<
σ
,A>
<
σ
,AA>
<
σ
,
e
>
<
σ
,AAA>
...Slide59
59
׃
׃
M
׃
׃
pre*(M)Slide60
60
׃
׃
׃
׃
M
post*(M)Slide61
61
{<K
Alice
, >,<K
Alice, >}
KCS
K
Owner[H]
K
Alice
K
Bob
{ , }Slide62
62
What Does the Automaton Represent?
A set of configurations:
<K, a
1 … am > is in the set if there is a path
Initial automaton represents {<KAlice, >,<KAlice, >}
K
K
. . .
a
1
a
2
a
m
{ , }
K
CS
K
Owner[H]
K
Alice
K
BobSlide63
63
From M to Pre*(M)
<
σ
,A>
<σ1
,A1 . . . Am>
A
1
.
.
. A
m
σ
1
σ
A
σ
1
A
1
A
m
...
σ
ASlide64
64
Pre*({<K
Alice
, >, <K
Alice, >})
KCS
K
Owner[H]
K
Alice
K
Bob
{ , }
faculty
myStudents
<K
CS
,faculty >
<K
Bob
,
e
>
<K
Bob
, myStudents >
<K
Alice
,
e
>Slide65
65
Pre*({<K
Alice
, >, <K
Alice, >})
KCS
K
Owner[H]
K
Alice
K
Bob
{ , }
faculty
myStudents
<K
Bob
, >
<K
Bob
, myStudents
■
>
<
K
Owner[H]
,
>
<K
CS
, faculty
>Slide66
66
Pre*({<K
Alice
, >, <K
Alice, >})
KCS
K
Owner[H]
K
Alice
K
Bob
{ , }
faculty
myStudents
<
K
Owner[H]
,
>
Pre*({<K
Alice
,
□
>, <K
Alice
,
■
>})Slide67
67
Time and Space Complexity
n
K
: number of principals|C|: sum of the lengths of the right-hand sides of the certs in CPre* Time complexity: O(n
K |C|)Space complexity: O(nK |C|)Post*Time and space complexity: O(nk |C|2)
2Slide68
68
Our Story
Chapter 3
(Bonus)
Applying model-checking techniques lets you answer other questions about SPKI/SDSI certificate sets [JR02, JR04]
What are the properties of this
security policy? What would happen if the policy were changed?Slide69
69
Certificate-Set Analysis
Generalized authorization-access query
Given a resource R and name N (not necessarily a principal), is N authorized to access R?
Name N = K A
1 … Am Is <KOwner[R], > in pre*({ K A1 … A
m })?Slide70
70
Certificate-Set Analysis
Expiration vulnerability query
What resources will principal K be prevented from accessing if certificate set C’ expires?
R1 = pre*[C] ({<K,
>,<K, >}) R2 = pre*[C-C’] ({<K, >, <K,
>}) {KOwner[R] | <KOwner[R], > is in R1 – R2 }Slide71
71
Certificate-Set-Analysis
Many more — see
[JR04]
Main message:
Algorithms for model checking pushdown systems can be exploited to solve several certificate-set-analysis problemsSlide72
72
Our Story
Chapter 3
(Bonus)
Applying model-checking techniques lets you answer other questions about SPKI/SDSI certificate sets [JR02, JR04]
Chapter 4 (Bummer)Actually, SPKI/SDSI PDSWhat about issues such as recency, trust, and expiration?From PDSs to
weighted PDSs [SJRS03]Slide73
73
Weighted Pushdown System (WPDS)
[BET03], [SJRS03]
States:
{
σ1, σ2, σ3, σ4 }
Stack symbols:
{ A, B, C, D }
Transition rules:
<
σ
1
, A>
<
σ
2
, e> <σ1, A>
<σ2, B> <σ1, A>
<σ2, B C>
w
1
w
2
w3Slide74
74
<K
Insurer
, □>
<KH, patient ■> <K
H
, patient>
<K
AIDS
, patient>
<K
H
, patient>
<K
IM, patient>
<KAIDS, patient> <KAlice
, e> <KIM, patient> <KAlice,
e>Privacy using a Weighted PDS
I
S
I
S
I
SISlide75
75
Privacy using a Weighted PDS
<K
Insurer
,
□>
<K
H
, patient
■
>
I
<K
IM
, patient
■
>
I
<K
Alice
,
■
>
I
<K
H
, patient
■>
I
<K
AIDS, patient ■>
S
S
S
I = I
S
I
I
S
S = S
I
I
I = ISlide76
76
Idempotent Semiring (D,
,
, 0, 1)[= Join Semilattice (D,
, ..., , ...)]
a 0 = aa b = b a
a (b c) = (a b) c
a
a = a
a
1 = a
a (b c) = (a b) c
a (b c) = (a b) (a c)
(a b) c = (a c) (b c)
a
0 = 0 a =
0
a
b iff a
b = b
=
Slide77
77
a
b iff a
b = b
=
D
0 1
Validity
N
{
}
max min -
+
Privacy {S,I}
S
I=I SI=S S IIdempotent Semiring (D, , , 0, 1)
[= Join Semilattice (D, , ..., , ...)]Slide78
78
Rule
Validity
KOwner[D]
KAlice 10KOwner[D]
KAlice 20Validity using a Weighted PDS
Request
Does
K
Alice
have the right to access D?
If so, what is the cert chain with the
largest
validity value?Slide79
79
Validity using a Weighted PDS
<
K
Owner[D],
>
max(10, 20) = 20
<K
Alice
,
■
>
10
20
=
maxSlide80
80
Rule
Authorization
KOwner[D]
KAlice {read}KOwner[D]
KAlice {write}“Auth Cert Reduction is Incomplete”[LM03]
Request
Does
K
Alice
have {read,write} access to D?
RFC2693: “Remove all certificates whose
authorization is not
{read,write}
”
NoSlide81
81
Authorization using a Weighted PDS
<
K
Owner[D],
>
{read}
{write} = {read, write}
<K
Alice
,
■
>
{read}
{write}
=
Cert chain?!Slide82
82
<
K
Owner[D]
, >
<K
Alice
,
■
>
Authorization using a Weighted PDS
<
K
Owner[D]
,
>
{read}
{write} = {read, write}
{read}
{write}
=
Cert tree!Slide83
83
Rule
Authorization
KOwner[D]
KAlice {read}KOwner[D]
KAlice {write}Authorization + Validity
Validity
10
20
0 1
Authorization
{rlidwka}
Validity max min -
+
{read,write}, 20
?
{read:10,write:20}Slide84
84
Authorization + Validity
<
K
Owner[D],
>
{read:10}
{write:20} = {read:10,write:20}
{read:10}
{write:20}
<K
Alice
,
■
> Slide85
85
Authorization + Validity
<
K
Owner[D],
>
{r:10,w:15,l:10}
{
r:5,w:20,k:5} = {r:10,w:20,l:10,k:5}
<K
Alice
,
■
>
{r:10,w:15,l:10}
{r:5,w:20,k:5}Slide86
86
From M to Pre*(M)
σ
<
σ
,A>
<
σ
1
,A
1
.
.
. A
m
>
w
V
(
w
X)
A
A
1
.
.
. A
m
σ
1
X
w
σ
1
A
1
A
m
...
...
...
X
σ
k
V
σ
A
σ
k
w
X
Slide87
87
Our Story
Chapter 3
(Bonus)
Applying model-checking techniques lets you answer other questions about SPKI/SDSI certificate sets [JR02, JR04]
Chapter 4 (Bummer)Actually, SPKI/SDSI PDSWhat about issues such as recency, trust, and expiration?From PDSs to
weighted PDSs [SJRS03]Chapter 5 (Ah!)WPDSs provide a new framework for static program analysis that is strictly richer than 35 years worth of previous approaches [RSJ03, RSJM05]Slide88
88
a
b iff a
b = b
=
D
0 1
Validity
N
{
}
max min -
+
Privacy {S,I}
S
I=I SI=S S IAuth. (
{rlidwka}) {rlidwka}Dataflow D
id
analysis
Idempotent Semiring (D, , , 0, 1)[= Join Semilattice (D,
, ..., , ...)]Slide89
89
WPDSs: A More Powerful
Program-Analysis Framework
Example: better debugging primitive
at a breakpoint at n, retrieve the stack (say S)stack-constrained slicing:
“What are the program elements that could have affected the values used at n, given that we reached n with stack S?”Slide90
90
void p() {
if (...) {
x = x + 1;
p(); // p_calls_p1
x = x - 1; } if (...) {
x = x - 1; p(); // p_calls_p2 x = x + 1; } return;
}
An Expanded Set of Queries
int x;
void main() {
x = 5;
p(); //main_calls_p
return;
}
5
<x
,
enter
p
p_calls_p2 p_calls_p1 main_calls_p>Slide91
91
An Expanded Set of Queries
main_calls_p
enter
p
p_calls_p1
p_calls_p2
x = 5
x = 5
x = x + 1
x = x - 1
x = 5
x = x + 1
x = x - 1
p_calls_p1
main_calls_p
enter
p
p_calls_p1
p_calls_p2
x = 5
+1
-1
p_calls_p1
+1
-1
p_calls_p1
+1
-1
p_calls_p2
+1
-1Slide92
92
An Expanded Set of Queries
int x;
void main() {
x = 5;
p(); //main_calls_p return;}
void p() { if (...) { x = x + 1; p(); // p_calls_p1
x = x - 1;
}
if (...) {
x = x - 1;
p(); // p_calls_p2
x = x + 1;
}
return;
}
5
<x
,
enter
p
(p_calls_p2 p_calls_p1)* main_calls_p>Slide93
93
An Expanded Set of Queries
int x;
void main() {
x = 5;
p(); //main_calls_p return;}
void p() { if (...) { x = x + 1; p(); // p_calls_p1
x = x - 1;
}
if (...) {
x = x - 1;
p(); // p_calls_p2
x = x + 1;
}
return;
}
5 4 =
<x
,
enter
p
(p_calls_p2 + p_calls_p1)* main_calls_p>
5
4Slide94
94
An Expanded Set of Queries
int x;
void main() {
x = 5;
p(); //main_calls_p return;}
void p() { if (...) { x = x + 1; p(); // p_calls_p1
x = x - 1;
}
if (...) {
x = x - 1;
p(); // p_calls_p2
x = x + 1;
}
return;
}
5 4 =
<x
,
enter
p
Σ
*>
5
4
any
stack configurationSlide95
95
An Expanded Set of Queries
L
1
=
<x,
enterp p_calls_p2 p_calls_p1 main_calls_p>L2 = <x,
enter
p
(p_calls_p2 p_calls_p1)* main_calls_p>
L
3
=
<x, enter
p
(p_calls_p2 + p_calls_p1)* main_calls_p>
L
4
=
<x, enter
p
Σ*>
JOVP’(L) =
pfp(V0)
c L, p
MatchedPathsTo[
c]
JOVP(n)
=
pfp(V0)
p MatchedPathsTo[n]
JOVP
’(L3) = JOVP’(L4
) = JOVP(enterp)Slide96
96
So What? Who Cares? [Yawn]
Check properties of programs using model checking
SLAM
[Ball & Rajamani 00]MOPS [Chen & Wagner 02]
“Metacompliation” [Engler et al.]In essence, all are using PDSsPDS WPDSMore powerful formalism for modeling program behaviors:How does the program transform the data?Slide97
97
(GL,4)
(GL,12)
Region for
main
Global Region
;
ebx
variable i
;
ecx
variable
p
sub esp, 40 ;adjust stack
lea edx, [esp+8] ;
mov [8], edx ;pArray2=&a[2]
lea ecx, [esp] ;p=&a[0]
mov edx, [4] ;
loc_9:
mov [ecx], edx ;*p=arrVal
add ecx, 4 ;p++
inc ebx ;i++
cmp ebx, 10 ;i<10?
jl short loc_9 ;
mov edi, [8] ;
mov eax, [edi] ;return *pArray2
add esp, 40
retn
(main, -40)
(main, 0)
(GL,8)
(main, -32)
main_40
mem_4
mem_8
1
ecx
(Ø, [-40,
∞
])
main_32
ret_main
Corrupts the stack?
1
Widenening in Independent-Attribute DomainsSlide98
98
Affine-Relation Analysis
Value sets are an
independent-attribute domain
no relations on the values of different variablesImprecise results, e.g.,
upper bound for ebx from “cmp ebx,10” (i < 10?)but no upper bound for ecx at loc_9Improved by discovering affine relations
identifies a loop’s induction variables
. . .
loc_9:
mov [ecx], edx ;*p=arrVal
add ecx, 4 ;p++
inc ebx ;i++
cmp ebx, 10 ;i<10?
jl short loc_9 ;
. . .Slide99
99
Affine-Relation Analysis
Obtain affine relations via static analysis
Propagate loop-bound info from loop-control registers to other variables
e.g., at loc_9
ecx = esp + (4
ebx), ebx = ([0,9],), esp =
(,-40)
ecx =
(,-40) + 4
([0,9],
)
ecx =
(,4
[-10,-1])
upper bound for ecx at loc_9
. . .
loc_9:
mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10?
jl short loc_9 ;. . .Slide100
100
Affine-Relation Analysis
Affine relation: a
0
+
i1..n(ai xi
) = 0x1, x2, …, xn : variablesa0, a1
, …, a
n
: int constants
more general than
constant propagation
induction-variable analysis
ARA for modular arithmetic:
(Muller-Olm & Seidl [ESOP 05])
Reformulated using WPDSs
Application
determine affine relations
for x86 registers
propagate loop-bound info from loop-control registers to other variablesSlide101
101
(GL,4)
(GL,12)
Region for
main
Global Region
;
ebx
variable i
;
ecx
variable
p
sub esp, 40 ;adjust stack
lea edx, [esp+8] ;
mov [8], edx ;pArray2=&a[2]
lea ecx, [esp] ;p=&a[0]
mov edx, [4] ;
loc_9:
mov [ecx], edx ;*p=arrVal
add ecx, 4 ;p++
inc ebx ;i++
cmp ebx, 10 ;i<10?
jl short loc_9 ;
mov edi, [8] ;
mov eax, [edi] ;return *pArray2
add esp, 40
retn
(main, -40)
(main, 0)
(GL,8)
(main, -32)
main_40
mem_4
mem_8
1
ecx
(
, [-40,-4])
main_32
ret_main
1
Widenening in Independent-Attribute Domains
No corruption of the stack!Slide102
102
Our Story Continues . . .
Traditional trust-management models provide centralized solutions
require certificates to be sent to a central site for certificate-chain discovery
not acceptable in practice
solution: distributed WPDS solver [JSWR06, Kidd unpublished]useful in program analysis, tooPolyhedral analysis?“widening weights” [Gopan thesis]
Concurrent PDS model checker [CCKRT06]Analysis engine for model checking concurrent programsUndecidable in general; uses semi-decision procedure [BET03]Context-bounded model checkingAnalyze a concurrent program for a bounded number of context switches [QR05], [LTKR08]Slide103
103
Concurrent PDS Model Checking
CPDS: Analysis engine for model checking concurrent programs
S. Chaki, E. Clarke, N. Kidd, T. Reps, and T. Touili, Verifying concurrent message-passing C programs with recursive calls, TACAS, 2006.
CPDS
Magic + an appropriate WPDSFound a real bug in a Bluetooth driverSlide104
104
CPDS Analysis
of Bluetooth Driver (I)
Model of Bluetooth driver from Windows NT
Reentrant multi-threaded library
Has known bug, found by KISS [QW04]2 handler processeseach receives one request ― A: RUN; B: STOP2 context switches: A B A
Modeled with a CPDSBuggy run performs 8 actionsFound in 5 seconds, using 334 MBSlide105
105
“Corrected” version of model obtained from S. Qadeer (Microsoft Research)
Challenge: Could we establish that it was correct?
Answers obtained by CPDS model checking:
For 2 processes, correctFor 3 processes, incorrect
Buggy run performs 14 actionsFound in 20 seconds, using 391 MBCPDS Analysis
of Bluetooth Driver (II)Slide106
106
What was the bug?
3 handler processes; 1 request each
A
1: RUNA2
: RUNB: STOP4 context switches:A1 B
A2 B
A
1
CPDS Analysis
of Bluetooth Driver (III)
counter = 2
finish;
counter--
release
resources
counter--Slide107
107
Corrected, “corrected” version
Answers obtained by CPDS model checking:
For 2 processes, correct
For 3 processes, correctFor 4 processes, correctFor 5 processes, memory exhausted
[More efficient version being developed]CPDS Analysisof Bluetooth Driver (IV)Slide108
108
Context-Bounded Analysis
[QR05]
program models: predicate abstraction
explore state space for up to k context switchesuse post* to find reachable configurationssplit post* automaton according to the global states
for each automaton, perform context switch[LTKR08]program models: WPDSscreate weighted transducer T that captures the (weighted) reachability relationTk = compose T k times with itselfapply Tk to initial stateSlide109
109
Conclusion
Built a bridge between authorization problems for distributed systems and static program analysis
Message: use model-checking techniques for the reachability problems that arise in authorization
Similar to what happened 25 years ago for HW verification
Showed how to fix a flaw in SPKI/SDSIcert chain cert treeBeneficial side effect: improved program-analysis methodswe use WPDSs extensively in our tools to analyze stripped x86 executables
[LRB05, B07]Cross-fertilization from working on both problems togetherTry them youself: Google for “WPDS++” or “WALi”Slide110
110
Questions?Slide111
111Slide112
112
Related Work
SPKI/SDSI
Clarke, Elien, Ellison, Fredette, Morcos, & Rivest [J. Comp. Sec. 01]
Pushdown systems
Bouajjani, Esparza, & Maler [Concur 97]Finkel, Willems, & Wolper [ENTCS 97]Esparza, Hansel, Rossmanith, & Schwoon [CAV 00]Bouajjani, Esparza, & Touili [POPL 03]Weighted-hypergraph problemsKnuth [IPL 77]
Grammar flow analysis: Möncke & Wilhelm [WAGA 91]Ramalingam thesis [LNCS #1089]Ramalingam & Reps [J. Alg 96]Interprocedural dataflow analysis[Cousot & Cousot 78], [Sharir & Pnueli 81], Knoop & Steffen 92]IDE framework: Sagiv, Reps, & Horwitz [TCS 96]Slide113
113
Error Projection
[SAS 07]
int numUnits;
int level;
void getUnit() {[1] bool canEnter = F;[2] if (numUnits == 0) {[3] if (level > 10) {[4] NewUnit();[5] numUnits = 1;[6] canEnter = T;
} } else[7] canEnter = T;[8] if (canEnter)[9] if (numUnits == 0)[10] assert(F);
else
[11] gotUnit();
}
void getUnit(){
[1] . . .
[2] if (?) {
[3] if (?) {
[4] . . .
[5] . . .
[6] . . .
}
} else
[7] . . .
[8] if (?)
[9] if (?)[10]
assert(F); else[11] . . . }
bool nU0;
void getUnit(){
[1] . . .
[2] if (nU0) {
[3] if (?) {[4] . . .[5] nU0 = F;
[6] . . . } } else[7] . . .[8] if (?)[9] if (nU0)[10] assert(F);
else[11] . . . }
bool nU0;
void getUnit(){
[1] bool cE = F;
[2] if (nU0) {
[3] if (?) {
[4] . . .[5] nU0 = F;[6] cE = T; } } else[7] cE = T;
[8] if (cE)[9] if (nU0)[10] assert(F); else[11] . . .
}Slide114
114
Other Contributions
Differential propagation
[SCP 05]
Weight domain + difference operatorSimultaneous forward & backward analysisError projection
[SAS 07]Extended WPDS [CAV 05]Extension for handling local variablesNon-saturation-based pre*/post* algs. [CAV06]Distributed algorithms for WPDS problemsImplemented systems (WPDS++, WALi)Non-trivial applications in a tool for analyzing stripped executables