Presentation is loading. Please wait.

Presentation is loading. Please wait.

Optimistic Hybrid Analysis

Published byMagnus Roberts Modified over 7 years ago

Similar presentations

Presentation on theme: "Optimistic Hybrid Analysis"— Presentation transcript:

1 Optimistic Hybrid Analysis
David Devecsery, Peter M. Chen, Satish Narayanasamy, Jason Flinn University of Michigan Thank you for the introduction. We all know prog. Analysis is essential to understanding and debugging our code and systems Today I will tell you about a new analysis method which combines unsound static analysis and speculation to accelerate dynamic analysis without sacrificing its accuracy or soundness

2 Motivation – Problem Dynamic analysis is essential
Memory errors Buffer overflow, use-after-free, double free, memory leak… Information flow Taint tracking, information providence, program slicing… Race freedom Type safety Many more We want to enforce these properties in programs Need precise (no false positives) and sound (no false negatives) program analysis David Devecsery

3 Motivation – Problem Problem: Dynamic analysis too expensive
Information flow 1-2 orders of magnitude overhead Race detection order of magnitude slowdown Question: Can we create a faster dynamic analysis? Code Binary + Dynamic Checks int a = my_malloc() int b = my_malloc() *a = read() *b = read() int c = *a + *b Free(a) Free(b) Instrumenter David Devecsery

4 Motivation – Hybrid Analysis
Use static analysis to optimize dynamic analysis If static analysis is sound dynamic analysis retains soundness Code Sound Static Analysis Binary + int a = my_malloc() int b = my_malloc() *a = read() *b = read() int c = *a + *b Free(a) Free(b) Dynamic Checks Instrumenter David Devecsery

5 Sound Static Analysis is Inaccurate
Makes conservative approximations for soundness Sound static analysis has high false positive rate Sound static analysis considers too many states to adequately optimize dynamic analysis! P – Possible Program States S – Over-approximation used by analysis P S David Devecsery

6 Optimistic Hybrid Analysis
Novel dynamic analysis optimization methodology Combines profiling, unsound static analysis, and speculative dynamic execution Unsound static analysis – better optimize analysis Speculative execution – handles analysis unsoundness No loss of soundness or precision Optimistic Hybrid Backward Slicer: OptSlice Retains accuracy of traditional dynamic slicer On average: 7.7x faster than hybrid dynamic slicer David Devecsery

7 Overview Motivation Optimistic Hybrid Analysis Overview
Likely Invariant Gathering Optimistic Static Analysis Speculative Dynamic Analysis OptSlice – Optimistic Dynamic Backward Slicer Evaluation Conclusion David Devecsery

8 Idea: Optimistic Analysis
Observation: Hybrid analysis need static analysis to explore only states executed by analyzed executions P – Possible Program States S – Over-approximation used by analysis P S C – Common Executed States C C David Devecsery

9 Idea: Optimistic Analysis
Idea: Instead use unsound static analysis We call: Optimistic Static Analysis Have dynamic analysis detect & handle unsoundness P – Possible Program States S – Over-approximation used by analysis C – Common states P S O O - Optimistic Static Analysis C David Devecsery

10 Motivation – Hybrid Analysis
Optimistic Static Analysis Code P C O Sound Static Analysis int a = my_malloc() int b = my_malloc() *a = read() *b = read() int c = *a + *b Free(a) Free(b) Binary + Dynamic Checks Instrumenter Speculation Checks David Devecsery

11 Optimistic Hybrid Analysis Phases
1 Profiling Likely Invariants 2 Optimistic Static Analysis 3 Speculative Dynamic Analysis Binary + P C O Profiling Dynamic Checks Speculation Checks David Devecsery

12 Optimistic Hybrid Analysis
1 Profiling Likely Invariants 2 Optimistic Static Analysis 3 Speculative Dynamic Analysis Binary + P C O Profiling Dynamic Checks Speculation Checks David Devecsery

13 Likely Invariants Goal: Guide optimistic static analysis towards
Static analysis assumes likely invariants true Reduce state space searched Add bounded unsoundness – if invariant false Likely Invariants should be: Strong - Help prune states considered by static analysis Cheap - Be inexpensive to check dynamically Stable - Hold true for most analyzed executions Gathered by profiling pass over program C David Devecsery

14 Our Invariants Likely Unreachable Code Likely Callee Sets
Identifies regions of code which are not dynamically run Stops static analysis from considering code Likely Callee Sets Identifies targets of indirect function calls Removes indirect function calls from analysis Likely Unreachable Call Contexts Identifies call-stacks reached dynamically Prunes call-graph in context-sensitive analysis David Devecsery

15 Likely Callee Sets Assume indirect calls can only call dynamically observed functions Source Code Static Analysis Graph fcn() { 1: hash_fcn_t *fcn = get_hash_fcn(); 2: hash = *fcn(arg1, arg2); } 3: sha1(arg1, arg2) { … } 4: sha256(arg1, arg2) {…} 5: sha3(arg1, arg2) {…} 6: md5 (arg1, arg2) {…} 7: ripemd(arg1, arg2) {…} 8: whirlpool(arg1, arg2) {…} 3 4 5 2 6 7 8 David Devecsery

16 Likely Callee Sets Source Code Static Analysis Graph 3 4 5 2 6 7 8
fcn() { 1: hash_fcn_t *fcn = get_hash_fcn(); 2: hash = *fcn(arg1, arg2); } 3: sha1(arg1, arg2) { … } 4: sha256(arg1, arg2) {…} 5: sha3(arg1, arg2) {…} 6: md5 (arg1, arg2) {…} 7: ripemd(arg1, arg2) {…} 8: whirlpool(arg1, arg2) {…} 3 4 5 2 6 7 8 David Devecsery

17 Likely Callee Sets Indirect Functions typically only call a small set of functions Source Code Static Analysis Graph fcn() { 1: hash_fcn_t *fcn = get_hash_fcn(); 2: hash = *fcn(arg1, arg2); } 3: sha1(arg1, arg2) { … } 4: sha256(arg1, arg2) {…} 5: sha3(arg1, arg2) {…} 6: md5 (arg1, arg2) {…} 7: ripemd(arg1, arg2) {…} 8: whirlpool(arg1, arg2) {…} 3 4 Likely Invariant: *fcn is sha2 or sha3 5 2 6 7 8 David Devecsery

18 Likely Callee Sets Indirect Functions typically only call a small set of functions Source Code Static Analysis Graph fcn() { 1: hash_fcn_t *fcn = get_hash_fcn(); 2: hash = *fcn(arg1, arg2); } 3: sha1(arg1, arg2) { … } 4: sha256(arg1, arg2) {…} 5: sha3(arg1, arg2) {…} 6: md5 (arg1, arg2) {…} 7: ripemd(arg1, arg2) {…} 8: whirlpool(arg1, arg2) {…} 4 Likely Invariant: *fcn is sha2 or sha3 5 2 David Devecsery

19 Likely Unused Call Contexts
Source Code Analysis Graph main() { 1: a = my_malloc(); 2: b = my_malloc();} my_malloc() { if (!g_init) 3: return do_init(); 4: return malloc(…);} do_init() { g_init = true; 5: // Long complex initialization code} Context-Sensitive 11 21 31 41 32 42 51 52 David Devecsery

20 Likely Unused Call Contexts
Remove call-stacks which never dynamically happen Source Code Analysis Graph main() { 1: a = my_malloc(); 2: b = my_malloc();} my_malloc() { if (!g_init) 3: return do_init(); 4: return malloc(…);} do_init() { g_init = true; 5: // Long complex initialization code} Context-Sensitive 11 21 Dynamically Never called 31 41 32 42 51 52 David Devecsery

21 Optimistic Hybrid Analysis
1 Profiling Likely Invariants 2 Optimistic Static Analysis 3 Speculative Dynamic Analysis Binary + P C O Profiling Dynamic Checks Speculation Checks David Devecsery

22 Optimistic Static Analysis
Assumes likely invariants from profiling are true Likely Invariants allow analysis to approximate C If likely invariants hold, analysis is sound for execution Sound Static Analysis Perfect Static Analysis Optimistic Static Analysis P S P = S P C O Do transition from traditional analysis to optimistic analysis C C S > P S = P O < P David Devecsery

23 Optimistic Hybrid Analysis
1 Profiling Likely Invariants 2 Optimistic Static Analysis 3 Speculative Dynamic Analysis Binary + P C O Profiling Dynamic Checks Speculation Checks David Devecsery

24 Speculative Dynamic Analysis
Runs optimized analysis Fraction of original checks Added likely-invariant speculation checks Lightweight by design (by likely-invariant choices) May have to roll-back on mis-speculation Mis-speculations are rare Worst case: full-execution roll-back re-execute On re-execute – use conservative dynamic analysis Eg. A traditional hybrid analysis David Devecsery

25 Overview Motivation Optimistic Hybrid Analysis Overview
Likely Invariants Optimistic Static Analysis Speculative Dynamic Analysis OptSlice – Optimistic Dynamic Backward Slicer Evaluation Conclusion David Devecsery

26 OptSlice Optimistic Dynamic Backwards Slicer
Uses three likely invariants discussed Uses optimistic static points-to and slicing analyses Heavyweight (full-execution) roll-back recovery Profiled Likely Invariants Optimistic Points-To Used Likely Invariants Instrumented Binary w/ Invariant Checks Profiler Dynamic Slicing Instrumenter Dynamic Execution Points-to Sets Optimistic Static Slicer Profiled Likely Invariants Static Slices & Used Likely Invariants David Devecsery

27 OptSlice – Misc. Details
Static analyses have: Call context-sensitive and insensitive versions Use the most accurate version that will scale Optimistic Static Analysis processes less states Generally more scalable Built on-top of Giri dynamic slicer (ASPLOS 13) David Devecsery

28 Evaluation All experiments bounded to 8hrs, 16GB RAM
We use the best static analysis that will complete Analysis built in LLVM-3.1 Goal: Show how OHA techniques enable OptSlice to accelerate dynamic analysis Evaluate three portions OptSlice speedup Invariant profiling requirements Static analysis improvements David Devecsery

29 Runtime Graph David Devecsery

30 Runtime On Average: 7.7x Speedup Graph David Devecsery

31 Profiling Graph David Devecsery

32 Static Points-to Analysis
Graph David Devecsery

33 Conclusion Optimistic Hybrid Analysis OptSlice
Novel analysis methodology: combines unsound static analysis, and speculative dynamic analysis Accelerates dynamic analysis without sacrificing accuracy or soundness OptSlice Optimistic Hybrid Backward Slicer 7.7x average speedup versus traditional hybrid slicing David Devecsery

34 Questions? David Devecsery

Download ppt "Optimistic Hybrid Analysis"

Similar presentations

Artemis: Practical Runtime Monitoring of Applications for Execution Anomalies Long Fei and Samuel P. Midkiff School of Electrical and Computer Engineering.

Artemis: Practical Runtime Monitoring of Applications for Execution Anomalies Long Fei and Samuel P. Midkiff School of Electrical and Computer Engineering.
Effective Static Deadlock Detection

Effective Static Deadlock Detection
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
An Case for an Interleaving Constrained Shared-Memory Multi-Processor Jie Yu and Satish Narayanasamy University of Michigan.

An Case for an Interleaving Constrained Shared-Memory Multi-Processor Jie Yu and Satish Narayanasamy University of Michigan.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.

Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.
Resurrector: A Tunable Object Lifetime Profiling Technique Guoqing Xu University of California, Irvine OOPSLA’13 Conference Talk 1.

Resurrector: A Tunable Object Lifetime Profiling Technique Guoqing Xu University of California, Irvine OOPSLA’13 Conference Talk 1.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
Guoquing Xu, Atanas Rountev Ohio State University Oct 9 th, 2008 Presented by Eun Jung Park.

Guoquing Xu, Atanas Rountev Ohio State University Oct 9 th, 2008 Presented by Eun Jung Park.
Semi-Sparse Flow-Sensitive Pointer Analysis Ben Hardekopf Calvin Lin The University of Texas at Austin POPL ’09 Simplified by Eric Villasenor.

Semi-Sparse Flow-Sensitive Pointer Analysis Ben Hardekopf Calvin Lin The University of Texas at Austin POPL ’09 Simplified by Eric Villasenor.
Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.

Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.
1 Low Overhead Program Monitoring and Profiling Department of Computer Science University of Pittsburgh Pittsburgh, Pennsylvania 15260 {naveen,

1 Low Overhead Program Monitoring and Profiling Department of Computer Science University of Pittsburgh Pittsburgh, Pennsylvania {naveen,
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002.

Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

Similar presentations

Ads by Google