Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China
Outline 1 Introduction 2 EMOPS overview 3 Some improvements taken in EMOPS 4 Experimental results 5 Conclusion and future work
Introduction Model checking is an automatic technique for verifying finite-state systems. It exhaustively checks a finite-state model of a system for violation of safety property formally specified as a formula in some temporal logic, an automaton, or a collection of assertions. The checked system Safety property Finite-state model Safety model Model checker Results
Introduction Existing model checkers either cannot be applied to large- scale systems because of state explosion or trade precision for scalability like MOPS. To overcome these problems, we have developed an extended tool based on MOPS, called EMOPS, to greatly increase MOPS’ precision and maintain its scalability.
EMOPS overview Dataflow analysis Counterexample path verification Model checker Contributions: 1.Combination of control flow and dataflow information. 2.Extend the model checking algorithm 3.Counterexample path verification
Some improvements taken in EMOPS Dataflow analysis Program slice under the guide of the security model Rules for program slice Purpose of program slice Get safety-relevant functions and reduce the cost of dataflow analysis
Dataflow analysis Demand-driven dataflow analysis Rules for dataflow analysis Purpose The demand-driven alias analysis is done on the safety-relevant functions in bottom- up order to further reduce the cost of dataflow analysis. Some improvements taken in EMOPS
Dataflow analysis 1.Construct call graph 2.For each leaf node nd Demand-Driven Alias Analysis (nd) 3.For each node nd in the loop Fix Point Computation (nd) Algorithm for dataflow analysis Some improvements taken in EMOPS
Model checker Extended rules for PDA For an edge in the program’s CFG that is from a program point p1 to p2 with a statement i: ( 1 ) If i is not a function call → ( 2 ) If i is a call to a function f → ( 3 ) If i is a return statement from a function f → Extended algorithm for model checker Some improvements taken in EMOPS
Counterexample path verification To improve precision of model checking results and reduce false positives Purpose we employ the model checker BLAST to verify the path’s feasibility The way for path verification ( 1 ) Path instrumentation ( 2 ) Path verification by BLAST Steps of path verification Some improvements taken in EMOPS
Experimental results Experimental results of EMOPS and MOPS VulnerabilityApplicationMOPSEMOPS Real/Total CE-paths Path filter Double Free cvs NOYES1(2)1 krb YES 1(1)0 Memory Leak squid-2.4.STABLE3NOYES1(4)2 wget NOYES1(9)6 which-2.16NOYES1(5)2 Buffer Overflow gzip-1.2.4NOYES1(1)0 ncompress-4.2.4NOYES1(1)0 sendmail-8.7.5NOYES1(2)1 wu-ftpd beta-18-vr8NOYES1(3)2
Experimental results Results of program slice ApplicationBefore program sliceAfter program sliceCompaction rate cvs % krb % squid-2.4.STABLE % wget which % gzip % ncompress % sendmail % wu-ftpd beta-18-vr %
Experimental results Comparison between alias analysis based on points- to sets and demand-driven method and their cost (ms) ApplicationTraditional dataflow analysis (ms)Demand-driven dataflow analysis (ms)Improvement rate cvs % krb % squid-2.4.STABLE % wget % which % gzip % ncompress % sendmail % wu-ftpd beta-18-vr %
Conclusion and future work (1) combination of control flow and dataflow information (2) path verification we describe a tool EMOPS which improves MOPS’s performance from two aspects: In EMOPS, as most of program analysis tools, the safety model for the temporal safety property has to be constructed manually. In our future work, we will try to make this process automatic through mining techniques to automatically get specification about the temporal safety property from source code. Future work