Unleashing the Power of Static Analysis Manuvir Das Principal Researcher Center for Software Excellence Microsoft Corporation.

Slides:



Advertisements
Similar presentations
Static Analysis for Security
Advertisements

Advanced programming tools at Microsoft
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Formal Specifications on Industrial Strength Code: From Myth to Reality Manuvir Das Principal Researcher Center for Software Excellence Microsoft Corporation.
02 | Define an Effective End-to-End Software Development Lifecycle Steven Borg | Co-founder & Strategist, Northwest Cadence Anthony Borton | ALM Consultant,
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.
API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.
Final exam week Three things on finals week: –final exam –final project presentations –final project report.
Software Factory Assembling Applications with Models, Patterns, Frameworks and Tools Anna Liu Senior Architect Advisor Microsoft Australia.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
ESP: Program Verification Of Millions of Lines of Code Manuvir Das Researcher PPRC Reliability Team Microsoft Research.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
Software Excellence via Program Verification at Microsoft Manuvir Das Center for Software Excellence Microsoft Corporation.
ESP [Das et al PLDI 2002] Interface usage rules in documentation –Order of operations, data access –Resource management –Incomplete, wordy, not checked.
Chapter 1 Program Design
PASTE at Microsoft Manuvir Das Center for Software Excellence Microsoft Corporation.
Defect Detection at Microsoft – Where the Rubber Meets the Road Manuvir Das (and too many others to list) Program Analysis Group Center for Software Excellence.
Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,
Scalable Defect Detection Manuvir Das, Zhe Yang, Daniel Wang Center for Software Excellence Microsoft Corporation.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Natalia Yastrebova What is Coverity? Each developer should answer to some very simple, yet difficult to answer questions: How do I find new.
1 Lecture 19 Configuration Management Software Engineering.
Tammy Dahlgren with Tom Epperly, Scott Kohn, and Gary Kumfert Center for Applied Scientific Computing Common Component Architecture Working Group October.
Testing and Debugging Version 1.0. All kinds of things can go wrong when you are developing a program. The compiler discovers syntax errors in your code.
Testing. 2 Overview Testing and debugging are important activities in software development. Techniques and tools are introduced. Material borrowed here.
Tips & Tricks: Scrubbing Source Code For Common Coding Mistakes (FxCop And PREfast) Nicholas Guerrera TLNL06 Software Design Engineer Microsoft Corporation.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
CS 363 Comparative Programming Languages Semantics.
DEV337 Modeling Distributed Enterprise Applications Using UML in Visual Studio.NET David Keogh Program Manager Visual Studio Enterprise Tools.
CSE 425: Data Types I Data and Data Types Data may be more abstract than their representation –E.g., integer (unbounded) vs. 64-bit int (bounded) A language.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
Chapter 3 Part II Describing Syntax and Semantics.
Chapter 8 Lecture 1 Software Testing. Program testing Testing is intended to show that a program does what it is intended to do and to discover program.
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
Design - programming Cmpe 450 Fall Dynamic Analysis Software quality Design carefully from the start Simple and clean Fewer errors Finding errors.
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
Microsoft Corporation. Announcement Visual Studio® Team System 2008 Enables you to Build Quality Code Be More Productive Collaborate at the Next Level.
CSCI 161 Lecture 3 Martin van Bommel. Operating System Program that acts as interface to other software and the underlying hardware Operating System Utilities.
Boris Jabes Program Manager Visual C++ Microsoft Corporation.
Lecture 1 Page 1 CS 111 Summer 2013 Important OS Properties For real operating systems built and used by real people Differs depending on who you are talking.
C++ for Engineers and Scientists Second Edition Chapter 12 Pointers.
Content Coverity Static Analysis Use cases of Coverity Examples
Building Enterprise Applications Using Visual Studio®
Object Lifetime and Pointers
APEx: Automated Inference of Error Specifications for C APIs
CS703 - Advanced Operating Systems
High Coverage Detection of Input-Related Security Faults
Improving software quality using Visual Studio 11 C++ Code Analysis
Hoare-style program verification
ESP: Program Verification Of Millions of Lines of Code
Introduction to Static Analyzer
4/28/2019 6:13 PM HW-889P Advanced driver code analysis techniques Tips and tricks to develop more secure & reliable drivers Dave Sielaff Principal Software.
Jamie Cool Program Manager Microsoft
Presentation transcript:

Unleashing the Power of Static Analysis Manuvir Das Principal Researcher Center for Software Excellence Microsoft Corporation

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’062 Talking the talk … Static analysis tools can make a huge impact on how software is engineered The trick is to properly balance research with a focus on deployment The Center for Software Excellence (CSE) at Microsoft is doing this (well?) today

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’063 … walking the walk CSE impact on Windows Vista –Found 100,000+ fixed bugs –Added 500,000+ specifications –Answered thousands of s We are program analysis researchers –But we measure our success in adoption –And we feel the pain of the customer

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’064 Context The Nail (Windows) –Manual processes do not scale to real software The Hammer (Static Analysis) –Automated methods for searching programs The Carpenter (CSE) –A systematic, heavily automated, approach to improving the quality of software

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’065 What is static analysis? grep == static analysis static analysis == grep syntax trees, CFGs, alias analysis, dataflow analysis, dependency analysis, binary analysis, symbolic evaluation, model checking, specifications, …

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’066 Roadmap Engineering process Static analysis tools Lessons

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’067 Engineering process

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’068 Build Architecture Main Branch Team Branch Desktop Team Branch Team Branch Desktop ……

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’069 Quality Gates Lightweight tools –run on developer desktop & feature branches –issues tracked within the program artifacts Enforced by rejection at gate Main Branch Team Branch Desktop Team Branch Team Branch Desktop ……

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0610 Central Bug Filing Heavyweight tools –run on main branch –issues tracked through a central bug database Enforced by bug cap Team Branch Desktop Team Branch Team Branch Desktop …… Main Branch

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0611 Static analysis tools

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’ Code correctness Reject code with null pointer dereferences, uninitialized memory, resource leaks, … Inter-procedural simulation – PREfix –Process the call graph bottom-up –Perform symbolic evaluation on a fixed number of paths through every function –Build incomplete symbolic function models –Use symbolic state to avoid infeasible paths –Report defects when bad states arise

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’ Integer overflow Reject code with potential security holes due to unchecked integer arithmetic Construct an expression tree for every interesting expression in the code Ensure that every operation is checked size1 = … size2 = … data = MyAlloc(size1+size2); for (i = 0; i < size1; i++) data[i] = …

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’ Architecture layering Reject code that breaks the component architecture of the product –No dependencies from lower layers of the system to higher layers of the system Dependency analysis tool – MaX –Construct a graph of dependencies between binaries (DLLs) in the system Obvious : call graph Subtle : registry, RPC, …

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’ Security Problem –A security issue is discovered through internal testing, or in the field (MSRC, Watson) Diagnosis –Identify the code pattern that caused the bug Detection (defect by example) –Specify the code pattern formally in OPAL –Use checkers to find instances of the pattern

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0616 RegKey leak defect status = RegOpenKeyExW( HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib", 0L, KEY_READ, & hLocalKey); if (status == ERROR_SUCCESS) bLocalKey = TRUE; … block of code that uses hLocalKey … if (bLocalKey) CloseHandle(hLocalKey); Bug: registry key is closed by calling the generic CloseHandle API –May fail to clean up some data that is specific to registry key data structures

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0617 RegKey leak code pattern Search for code paths along which a registry key is opened, and then closed using the generic CloseHandle API Specification: –define a sequence of relevant actions –e.g. A(k)…B(h) –define the actions (e.g. A, B, k and h)

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0618 RegKey leak specification defect RegKeyCloseHandle { // A(x)…B(x) sequence OpenKey(key);CloseHandle(handle) message “Registry key closed using generic CloseHandle API!” // A(x) pattern OpenKey(key) (_,_,_,_,&key) where (return == 0) // B(x) pattern CloseHandle(handle) (handle) } This is the entire specification effort for the codebase

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0619 Safety properties void main () { if (dump) fil = fopen(dumpFile,”w”); if (p) x = 0; else x = 1; if (dump) fclose(fil); } Closed Opened Error Open Print Open Close Print/Close * void main () { if (dump) Open; if (p) x = 0; else x = 1; if (dump) Close; }

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0620 ESP Symbolic state: FSA + execution state Branch points: Does execution state uniquely determine branch direction? –Yes: process appropriate branch –No: split & update state, and process both branches Merge points: Do states agree on FSA? –Yes: merge states –No: process states separately

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0621 ESP example [Opened|dump=T] [Closed] [Closed|dump=T] [Closed|dump=F] [Opened|dump=T,p=T,x=0] [Opened|dump=T,p=F,x=1] [Opened|dump=T] [Closed|dump=F] [Closed] entry dump p x = 0x = 1 Open Close exit dump T T T F F F

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’ Concurrency Deadlocks, data races, orphan locks, … Sequential analysis of lock sequences at every program point of every thread –Cycle in lock ordering: deadlock –Access without consistent locking: data race –Exit while holding critical section: orphan lock! Inter-procedural dataflow analysis – ESPC –Instance of ESP – lock sequences control merge –Understands Win32 locking semantics

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’ Buffer overruns Defect: a buffer access index is out of bounds Detection: check that index is within bounds Problem: where are the buffer bounds stored? –Tools must track buffer size from allocation to access –Exhaustive global analysis is infeasible Solution: turn global analysis into local analysis –Standard Annotation Language (SAL) –Specify buffer sizes at function interfaces –Perform modular (one function at a time) analysis

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0624 SAL example 1 wcsncpy [precondition] destination buffer must have enough allocated space wchar_t wcsncpy ( wchar_t *dest, wchar_t *src, size_t num ); wchar_t wcsncpy ( __pre __notnull __pre __writableTo(elementCount(num)) wchar_t *dest, wchar_t *src, size_t num ); wchar_t wcsncpy ( __out_ecount(num) wchar_t *dest, wchar_t *src, size_t num);

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0625 SAL example 2 memcpy void * memcpy ( void * dest, void * src, size_t num ); void * memcpy ( __pre __notnull __pre __writableTo(byteCount(num)) __post __readableTo(byteCount(num)) void * dest, __pre __notnull __pre __deref __readonly __pre __readableTo(byteCount(num)) void * src, size_t num ); void * memcpy ( __out_bcount_full(num) void * dest, __in_bcount(num) void * src, size_t num );

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0626 SAL primer Usage example: a 0 RT func(a 1 … a n T par) a i : SAL annotation Interface contracts –pre, post, object invariants Basic properties –null, readonly, valid, range, … Buffer extents –writableTo(size), readableTo(size) Buffer size formats –(byte|element)Count, endPointer, sentinel, …

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0627 SAL ecosystem espX/PREfast/… : Use annotations to find defects SALstats : Identify parameters that should be annotated MIDL Compiler : Translate MIDL directives to annotations SALinfer : Infer annotations using global static analysis

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0628 SALinfer example size(tmp,200) size(buf,len) size(buf2,len) size(buf2,len2) size(buf,len) write(buf) write(buf2) void work() { int tmp[200]; wrap(tmp, 200); } void wrap(int *buf, int len) { int *buf2 = buf; int len2 = len; zero(buf2, len2); } void zero(int *buf, int len) { int i; for(i = 0; i <= len; i++) buf[i] = 0; }

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0629 SALinfer example void work() { int tmp[200]; wrap(tmp, 200); } void wrap(__out_ecount(len) int *buf, int len) { int *buf2 = buf; int len2 = len; zero(buf2, len2); } void zero(__out_ecount(len) int *buf, int len) { int i; for(i = 0; i <= len; i++) buf[i] = 0; }

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0630 espX example void zero(__out_ecount(len) int *buf, int len) { int i; for(i = 0; i <= len; i++) buf[i] = 0; } Subgoal 2: i < sizeOf(buf) assume(sizeOf(buf) == len) for(i = 0; i <= len; i++) buf[i] = 0; inv (i >= 0 && i <= len) Constraints: (C1) i >= 0 (C2) i <= len (C3) sizeOf(buf) == len Goal: i >= 0 && i < sizeOf(buf) Subgoal 1: i >=0 by (C1) Warning: Cannot validate buffer access. Overflow occurs when i == len Subgoal 2: i < len by (C3)Subgoal 2: i < len FAIL assert(i >= 0 && i < sizeOf(buf))

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0631 SAL impact Windows Vista –Mandate: Annotate 100,000 mutable buffers –Developers annotated 500,000+ parameters –Developers fixed 20,000+ bugs Office 12 –Developers fixed 6,500+ bugs Visual Studio, SQL, Exchange, … External customers –CRT + Windows headers SAL annotated –SAL aware compiler shipped with VS 2005

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0632 SAL evaluation Vista – mutable string buffer parameters Annotation cost: [–] 100,000 parameters required annotations [+] 4 out of 10 automatic Defect detection value: [+] 1 buffer overrun exposed per 20 annotations Locked in progress: [+] 9.4 out of 10 buffer accesses validated

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0633 Lessons

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0634 Forcing functions for change Gen 1: Manual Review –Too many code paths to think about Gen 2: Massive Testing –Inefficient detection of simple errors Gen 3: Global Program Analysis –Delayed results Gen 4: Local Program Analysis –Lack of calling context limits accuracy Gen 5: Specifications

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0635 Acceptance of specifications Developers like incremental specs –No specifications, no bugs Developers like useful specs –More specifications, more real bugs Developers like informative specs –Make implicit information explicit –Avoid repeating what the code says

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0636 Defect detection myths Soundness matters –sound == find only real bugs –The real measure is Fix Rate Completeness matters –complete == find all the bugs –There will never be a complete analysis Developers only fix real bugs –Developers fix bugs that are easy to fix, and –Unlikely to introduce a regression

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0637 Theory is important Fundamental ideas have been crucial –Hoare logic –Dataflow analysis –Abstract interpretation –Graph algorithms –Context-sensitive analysis –Alias analysis

8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0638 Summary Static analysis tools can make a huge impact on how software is engineered The trick is to properly balance research with a focus on deployment The Center for Software Excellence (CSE) at Microsoft is doing this (well?) today

© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.