Presentation is loading. Please wait.

Presentation is loading. Please wait.

Decision Procedures for String Constraints Pieter Hooimeijer 2.

Published byBrice Elliott Modified over 8 years ago

Similar presentations

Presentation on theme: "Decision Procedures for String Constraints Pieter Hooimeijer 2."— Presentation transcript:

1

2 Decision Procedures for String Constraints Pieter Hooimeijer 2

3 3 http://en.wikipedia.org/wiki/Osborne_1

4 4

5 5

6 What could possibly go wrong? 6

7 7 Attacker: im.png' onload='javascript:...

8 8 Attacker: im.png' onload='javascript:...

9 9 Attacker: im.png' onload='javascript:... <img src='im.png' onload ='j

10 10 Attacker: im.png' onload='javascript:... <img src='im.png' onload ='j

11 11

12 12 www.cs.virginia.edu/~ph4u/

13 Talk Outline 13 BackgroundBuildingTuningConclusion

14 Talk Outline 14 BackgroundBuildingTuningConclusion

15 15 200720082009201020112012 ASE Bug Reports SocialNets Proxied Content SocialNets Proxied Content Sesena MacroLab 3 Sensys MacroLab 2 USENIX Sec BEK POPL BEK2 Sensys MacroLab ISSTA Hampi TOSEM Hampi 2 2013 PLDI DPRLE ASE StrSolve VMCAI Data structures J. ASE StrSolve 2

16 16 200720082009201020112012 ASE Bug Reports SocialNets Proxied Content SocialNets Proxied Content Sesena MacroLab 3 Sensys MacroLab 2 USENIX Sec BEK POPL BEK2 Sensys MacroLab ISSTA Hampi TOSEM Hampi 2 2013 This Talk PLDI DPRLE ASE StrSolve VMCAI Data structures J. ASE StrSolve 2

17 Decision Procedures Program analysis work frequently uses one of these: They solve mathematical constraints There is a standard input format 17

18 Example 18

19 19 (declare-fun x () Int) (assert (= (* x x) 25)) (assert (> x 0)) (check-sat) (get-model) ✔

20 Motivation Reasoning about strings is difficult: – for programmers – for automated tools 20

21 String Constraint Solvers 21 Kaluza Hampi Rex

22 22 Kaluza Hampi Rex String a; //... R = Regex("^ab$"); R.IsMatch(a) = true; String a; //... R = Regex("^ab$"); assert(R.Match(a));

23 String a; //... R = Regex("^ab$"); R.IsMatch(a) = true; 23 ✔ String a; //... R = Regex("^ab$"); assert(R.Match(a)); Kaluza Hampi Rex

24 String a; //... R = Regex("^ab$"); R.IsMatch(a) = true; 24 ✔ String a; //... R = Regex("^ab$"); assert(R.Match(a)); Kaluza Hampi Rex solution(s) constraints solvers

25 What should we model? 25

26 Example 26 How hard is regex matching in Perl?

27 A: Just as hard as 3-SAT… 27 $istr = '^'. ('(x?)' x $V). ".*;\n" $ireg = '^'. ('(x?)' x $V). ".*;\n". join('', map {'(?:'. join('|', map { $_ < 0 ? ('\\'. -$_. 'x') : ('\\'. $_ ) } @$_ ). "),\n" } @Clauses ); http://perl.plover.com/NPC/NPC-3SAT.html

28 Where do constraints come from? 28

29 29 String a; //... R = Regex("^ab$"); if (R.IsMatch(a)) { //... } Code

30 30 Constraint Generation Constraint Solving

31 31 Constraint Generation Constraint Solving

32 Talk Outline 32 BackgroundBuildingTuningConclusion

33 Chapter 2: Defining String Constraints 33 Contributions: 1.The definition of the regular matching assignments problem 2.An algorithm, its implementation, and correctness proof 3.An evaluation, applying (2) to a static analysis problem

34 34 demo (internet permitting)

35 Evaluation 35 The Task: generate string inputs that exercise 17 known vulnera- bilities in 30,000 lines of PHP Metric: running time

36 Results 36 Our constraint definition is sufficiently expressive to capture the constraints of interest Wall-clock running time is between 0.01 seconds and 10 minutes

37 Talk Outline 37 BackgroundBuildingTuningConclusion

38 Chapter 3: Evaluating Data Structures 38 Contribution: 4.An apples-to-apples performance comparison of data structures and algorithms for automata- based string constraint solving

39 Motivation Existing work provided tool-to- tool performance comparisons Confounds: Performance gains may be due to external factors 39

40 The Framework Based on Rex Fixes external factors: – front-end parser – regex-to-automaton conversion – implementation language – search tree 40

41 Study Design Tasks: – automaton intersection – automaton subtraction 41 Metric: – running time

42 Character Sets 42 BDD Pred Range Hash binary decision diagrams symbolic bitvector ranges in DNF concrete set of character ranges concrete set of individual characters

43 43

44 44 EagerLazy

45 45 EagerLazy ASCII Unicode ASCII Unicode ASCII Unicode ASCII Unicode

46 Results 46 EagerLazy ASCII Unicode ASCII Unicode ASCII Unicode ASCII Unicode

47 LazyEager BDD Pred Range Hash 47 ASCII Unicode

48 BDD Pred Range Hash 48 ASCII Unicode LazyEager

49 Chapter 4: Solving String Constraints Lazily 49 Contributions: 5.A novel (lazy) algorithm for solving multivariate string constraints 6.A comprehensive performance evaluation

50 Motivation 50 More scalable algorithms are more likely to see real use

51 Approach 1.Eagerly construct a high-level representation of the search space 2.Explore the search space lazily, adding restrictions for one variable at a time 51

52 Evaluation 52 DifferenceHampi Long Strings CFG Intersection

53 Evaluation 53 DifferenceHampi Long Strings CFG Intersection

54 Hampi: Background 54 200720082009201020112012 SocialNets Proxied Content SocialNets Proxied Content USENIX Sec BEK POPL BEK2 ISSTA Hampi TOSEM Hampi 2 2013 PLDI DPRLE ASE StrSolve VMCAI Data structures J. ASE StrSolve 2

55 Hampi: Background 55 SocialNets Proxied Content SocialNets Proxied Content USENIX Sec BEK POPL BEK2 TOSEM Hampi 2 PLDI DPRLE ASE StrSolve VMCAI Datastructures J. ASE StrSolve 2 ISSTA Hampi 2011201220132010200720082009

56 Hampi: Architecture 56 Hampi STP (bv) MiniSAT

57 57 encoding Hampi STP (bv) MiniSAT solving

58 Experiment 58 Task: regex difference (same dataset as before) Metric: proportion of wall-clock time spent solving

59 Results 59 1 5 10 15 Proportion of Running time

60 Results 60 1 5 10 15

61 Results 61 1 5 10 15 Proportion of Running Time

62 Evaluation 62 DifferenceHampi Long Strings CFG Intersection

63 Experiment 63 Task: intersect two regexes parameterized on n: [a-c]*a[a-c]{n+1} and [a-c]*b[a-c]{n} Metric: running time

64 Participating Tools 64 Hampi Rex Strsolve

65 Results 65 Rex Hampi Strsolve n

66 Talk Outline 66 BackgroundBuildingTuningConclusion

67 Introduced string constraint solving in the context of program analysis Two algorithms: one eager (DPRLE), one lazy (strsolve) Presented experiments – data structure selection – solving multivariate constraints Our lazy prototype outperforms other approaches on indicative workloads 67

68 68 www.cs.virginia.edu/~ph4u/ Thanks for stopping by!

69 69

Download ppt "Decision Procedures for String Constraints Pieter Hooimeijer 2."

Similar presentations

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
The GDSE Framework A Meta-Tool for Automated Design Space Exploration Tripti Saxena Graduate Student Vanderbilt University 1.

The GDSE Framework A Meta-Tool for Automated Design Space Exploration Tripti Saxena Graduate Student Vanderbilt University 1.
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Introduction to Computer Science 2 Lecture 7: Extended binary trees

Introduction to Computer Science 2 Lecture 7: Extended binary trees
Equivalence of Extended Symbolic Finite Transducers Presented By: Loris D’Antoni Joint work with: Margus Veanes.

Equivalence of Extended Symbolic Finite Transducers Presented By: Loris D’Antoni Joint work with: Margus Veanes.
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna

Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)

Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)
CS7100 (Prasad)L16-7AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.

CS7100 (Prasad)L16-7AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Translator Architecture Code Generator ParserTokenizer string of characters (source code) string of tokens abstract program string of integers (object.

Translator Architecture Code Generator ParserTokenizer string of characters (source code) string of tokens abstract program string of integers (object.
1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.

1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela.

Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela.

Similar presentations

Ads by Google