David Evans The Bugs and the Bees Research in Programming Languages and Security University of.

Slides:

Advertisements

Similar presentations

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Advertisements

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

Concolic Modularity Testing Derrick Coetzee University of California, Berkeley CS 265 Final Project Presentation.

Joel Winstead CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Pointers and Memory Management.

Algorithms and Problem Solving-1 Algorithms and Problem Solving.

OOP in Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

1 Objectives To introduces the concept of software Design. To introduce the concept of Object- Oriented Design (OOD). To Define various aspects about object.

Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

Chapter 13 Embedded Systems

A Type System for Expressive Security Policies David Walker Cornell University.

CS 201 Functions Debzani Deb.

Memory Layout C and Data Structures Baojian Hua

Copyright Arshi Khan1 System Programming Instructor Arshi Khan.

C++ fundamentals.

Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.

A Free sample background from © 2001 By Default!Slide 1.NET Overview BY: Pinkesh Desai.

Introduction 01_intro.ppt

Introduction and Overview Questions answered in this lecture: What is an operating system? How have operating systems evolved? Why study operating systems?

 To explain the importance of software configuration management (CM)  To describe key CM activities namely CM planning, change management, version management.

Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.

CS 350 – Software Design The Object Paradigm – Chapter 1 If you were tasked to write code to access a description of shapes that were stored in a database.

CS 390- Unix Programming Environment CS 390 Unix Programming Environment Topics to be covered: Distributed Computing Fundamentals.

Dynamic Choreographies Safe Runtime Updates of Distributed Applications Ivan Lanese Computer Science Department University of Bologna/INRIA Italy Joint.

Chapter 3.5 Memory and I/O Systems. 2 Memory Management Memory problems are one of the leading causes of bugs in programs (60-80%) MUCH worse in languages.

OPERATING SYSTEMS Goals of the course Definitions of operating systems Operating system goals What is not an operating system Computer architecture O/S.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Fundamental Programming: Fundamental Programming K.Chinnasarn, Ph.D.

COMP 111 Threads and concurrency Sept 28, Tufts University Computer Science2 Who is this guy? I am not Prof. Couch Obvious? Sam Guyer New assistant.

David Evans These slides: Introduction to Static Analysis.

COP4020 Programming Languages Names, Scopes, and Bindings Prof. Xin Yuan.

David Evans CS551/651: Dependable Computing University of Virginia Computer Science Static Analysis.

07/09/04 Johan Muskens ( TU/e Computer Science, System Architecture and Networking.

Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.

David Evans The Bugs and the Bees Research in Programming Languages and Security University of.

1 Ch. 1: Software Development (Read) 5 Phases of Software Life Cycle: Problem Analysis and Specification Design Implementation (Coding) Testing, Execution.

David Evans The Bugs and the Bees Research in Swarm Programming and Security University of Virginia.

Systems for Safety and Dependability David Evans University of Virginia Department of Computer Science.

ECE450 - Software Engineering II1 ECE450 – Software Engineering II Today: Introduction to Software Architecture.

Celluloid An interactive media sequencing language.

1 Splint: A Static Memory Leakage tool Presented By: Krishna Balasubramanian.

(A Somewhat Self-Indulgent) Splint Retrospective David Evans University of Virginia 25 October 2010.

Pointers in C Computer Organization I 1 August 2009 © McQuain, Feng & Ribbens Memory and Addresses Memory is just a sequence of byte-sized.

Software Development Problem Analysis and Specification Design Implementation (Coding) Testing, Execution and Debugging Maintenance.

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

Chapter 3 Top-Down Design with Functions Part II J. H. Wang ( 王正豪 ), Ph. D. Assistant Professor Dept. Computer Science and Information Engineering National.

Policy-Directed Code Safety David Evans April 1999 Software Devices and Systems MIT Lab for Computer Science.

Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.

POINTERS. // Chapter 3 - Program 1 - POINTERS.CPP #include int main() { int *pt_int; float *pt_float; int pig = 7, dog = 27; float x = , y = 32.14;

Semantic Analysis II Type Checking EECS 483 – Lecture 12 University of Michigan Wednesday, October 18, 2006.

David Evans Swarm Programming How to Program a MicroNet University of Virginia Department of Computer.

From Use Cases to Implementation 1. Structural and Behavioral Aspects of Collaborations  Two aspects of Collaborations Structural – specifies the static.

July 19, 2004Joint Techs – Columbus, OH Network Performance Advisor Tanya M. Brethour NLANR/DAST.

David Evans The Bugs and the Bees Research in Programming Languages and Security University of.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

From Use Cases to Implementation 1. Mapping Requirements Directly to Design and Code  For many, if not most, of our requirements it is relatively easy.

Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.

A Single Intermediate Language That Supports Multiple Implemtntation of Exceptions Delvin Defoe Washington University in Saint Louis Department of Computer.

University of Virginia Computer Science Extensible Lightweight Static Checking David Evans On the I/O.

Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.

CS4222 Principles of Database System

Algorithms and Problem Solving

Security in Java Real or Decaf? cs205: engineering software

Improving Security Using Extensible Lightweight Static Analysis

Memory Allocation CS 217.

Lecture Topics: 11/1 General Operating System Concepts Processes

Lecture 4: Data Abstraction CS201j: Engineering Software

Lecture 17: Defeating Malcode (Shameless Self-Promotion) Background

Annotation-Assisted Lightweight Static Checking

Presentation transcript:

David Evans The Bugs and the Bees Research in Programming Languages and Security University of Virginia Department of Computer Science

Background Joined UVA, November 1999 BS/MS ‘94, and PhD ‘2000 from MIT Funding for three new students (but will probably only accept 1 or 2) Courses –Security (CS551) –Grad. Programming Languages (CS655)

Menu The Bugs The Bees - “Programming the Swarm” LCLint How do we help good people write better programs? How do we prevent bad programs from doing bad things? How can we program large collections of devices?

A Gross Oversimplification Effort Required Low Unfathomable Formal Verifiers Bugs Detected none all Compilers LCLint

Requirements No interaction required – as easy to use as a compiler Fast checking – as fast as a compiler Gradual Learning/Effort Curve –Little needed to start –Clear payoff relative to user effort

Approach Programmers add annotations (formal specifications) –Simple and precise –Describe programmers intent: Types, memory management, data hiding, aliasing, modification, null-ity, etc. LCLint detects inconsistencies between annotations and code –Simple (fast!) dataflow analyses

Sample Annotation: only Reference (return value) owns storage No other persistent (non-local) references to it Implies obligation to transfer ownership Transfer ownership by: –Assigning it to an external only reference –Return it as an only result –Pass it as an only parameter: e.g., extern void free (only void *); extern only char *gptr; extern only out null void *malloc (int);

Example 1int dummy (void) { 2 int *ip= (int *) malloc (sizeof (int)); 3 *ip = 3; 4 return *ip; 5 } extern only null void *malloc (int); in library LCLint output: dummy.c:3:4: Dereference of possibly null pointer ip: *ip dummy.c:2:13: Storage ip may become null dummy.c:4:14: Fresh storage ip not released before return dummy.c:2:43: Fresh storage ip allocated

LCLint Status Public distribution since 1993 Effective checking >100K line programs (checks about 1K lines per second) –Detects lots of real bugs in real programs (including itself, of course) –Thousands of users, Linux Journal, etc. Checks include type abstractions, modifications, globals, memory leaks, dead storage, naming conventions, undefined behavior, incomplete definition...

Where do we go from here? Extensible Checking –Allow users to define new annotations and associated checking Integrate run-time checking –Combine static and run-time checking to enable additional checking and completeness guarantees Generalize framework –Support static checking for multiple source languages in a principled way

LCLint More information: lclint.cs.virginia.edu PATV ‘2000, PLDI ’96, FSE’94 Students: David Larochelle, Chris Barker, Vic Ludwig Current Funding: NASA (joint with John Knight) Previous funding: DARPA, NSF, ONR, DEC

Untrusted Program Safe Program

Naccio Motivation Weaknesses in existing code safety systems: –Limited range of policies –Policy definition is ad hoc and platform dependent Enforcement is tied to a particular architecture Can we solve them without sacrificing efficiency or convenience? Yes!

General method for defining policies –Abstract resources –Platform independent System architecture for enforcing policies –Prototypes for JavaVM classes, Win32 executables Program Safe Program Safety Policy Naccio Overview

Problem User’s View Files Resources Policy System View WriteFile (fHandle, …) Disk Program System Library OS Kernel tar cf * Platform Interface

Safety Policy Definition Resource descriptions: abstract operational descriptions of resources (files, network, threads, display, …) Platform interface: mapping between system events (e.g., Java API calls, Win32 API calls) and abstract resources Resource use policy: constraints on manipulating those resources

Policy description file Application transformer transformer Program Version of program that: Uses policy-enforcing system library Satisfies low-level code safety Naccio Architecture Current Platforms: JavaVM – program is collection of Java classes Win32 – program is Win32 executable and DLLs Per application Policycompiler Safety policy definition Policy-enforcing system library Per policy

Open Issues Low-Level Code Safety for Win32 –How can you prevent malicious programmer from tampering with checking code? Policy Development –What is the correct policy for different environments? User Interface –How can you present policy violations to naive users in a sensible way?

Naccio Summary Method for defining large class of policies –Using abstract resources General architecture for code safety Encouraging results so far –Win32 (Andrew Twyman, MIT MEng’99): need to implement low-level safety –JavaVM: believed to be secure For more information: IEEE Security & Privacy `99, my PhD thesis

Programming the Swarm

1950s: Programming in the small... Programmable computers Learned the programming is hard Birth of higher-order languages Tools for reasoning about trivial programs Really Brief History of Computer Science 1970s: Programming in the large... Abstraction, objects Methodologies for development Tools for reasoning about component-based systems 2000s: Programming in the Swarm!

Programming the Swarm: Long-Range Goal Cement 10 GFlop

What’s Changing Execution Platforms –Not computers (98% of microprocessors sold this year) –Small and cheap Execution environment –Interact with physical world –Unpredictable, dynamic Programs –Old style of programming won’t work –Is there a new paradigm?

Swarm Programming Primitives describe group behaviors –What are the primitives? –How are they specified? Important to understand both functional (how the state changes) and non-functional (power use, robustness, efficiency, etc.) properties Construct complex behaviors by composing primitives –Predict behavior of result –Pick the right primitives based on description of desired non-functional properties

Group Behavior smarter devices smarter behavior Bee house-hunting Stadium Wave Jazz Octet Ant Routing Canada Geese Manchester United Concrete Bridge Disperse (demo) CS IM Team

Finding an Advisor Don’t rely on the matching process –This is the last resort! Find someone with whom you can well –Can’t tell this from one breakout session –Meet at least twice with potential advisors before matching forms

Summary – Project Decision Tree People are basically good? Yes LCLint Annotation- Assisted Lightweight Static Checking People are basically evil? No Yes Policy-Directed Code Safety People are basically crazy? No Yes Programming the Swarm No ? Sign up for meeting times (form going around).