Presentation is loading. Please wait.

Presentation is loading. Please wait.

Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.

Published byMyles Freeman Modified over 9 years ago

Similar presentations

Presentation on theme: "Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China."— Presentation transcript:

1 Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China

2 Outline 1 Introduction 2 EMOPS overview 3 Some improvements taken in EMOPS 4 Experimental results 5 Conclusion and future work

3 Introduction  Model checking is an automatic technique for verifying finite-state systems. It exhaustively checks a finite-state model of a system for violation of safety property formally specified as a formula in some temporal logic, an automaton, or a collection of assertions. The checked system Safety property Finite-state model Safety model Model checker Results

4 Introduction  Existing model checkers either cannot be applied to large- scale systems because of state explosion or trade precision for scalability like MOPS. To overcome these problems, we have developed an extended tool based on MOPS, called EMOPS, to greatly increase MOPS’ precision and maintain its scalability.

5 EMOPS overview Dataflow analysis Counterexample path verification Model checker Contributions: 1.Combination of control flow and dataflow information. 2.Extend the model checking algorithm 3.Counterexample path verification

6 Some improvements taken in EMOPS Dataflow analysis Program slice under the guide of the security model Rules for program slice Purpose of program slice Get safety-relevant functions and reduce the cost of dataflow analysis

7 Dataflow analysis Demand-driven dataflow analysis Rules for dataflow analysis Purpose The demand-driven alias analysis is done on the safety-relevant functions in bottom- up order to further reduce the cost of dataflow analysis. Some improvements taken in EMOPS

8 Dataflow analysis 1.Construct call graph 2.For each leaf node nd Demand-Driven Alias Analysis (nd) 3.For each node nd in the loop Fix Point Computation (nd) Algorithm for dataflow analysis Some improvements taken in EMOPS

9 Model checker Extended rules for PDA For an edge in the program’s CFG that is from a program point p1 to p2 with a statement i: ( 1 ) If i is not a function call → ( 2 ) If i is a call to a function f → ( 3 ) If i is a return statement from a function f → Extended algorithm for model checker Some improvements taken in EMOPS

10 Counterexample path verification To improve precision of model checking results and reduce false positives Purpose we employ the model checker BLAST to verify the path’s feasibility The way for path verification ( 1 ) Path instrumentation ( 2 ) Path verification by BLAST Steps of path verification Some improvements taken in EMOPS

11 Experimental results  Experimental results of EMOPS and MOPS VulnerabilityApplicationMOPSEMOPS Real/Total CE-paths Path filter Double Free cvs-1.11.4NOYES1(2)1 krb5-1.4.1YES 1(1)0 Memory Leak squid-2.4.STABLE3NOYES1(4)2 wget-1.10.2NOYES1(9)6 which-2.16NOYES1(5)2 Buffer Overflow gzip-1.2.4NOYES1(1)0 ncompress-4.2.4NOYES1(1)0 sendmail-8.7.5NOYES1(2)1 wu-ftpd-2.4.2-beta-18-vr8NOYES1(3)2

12 Experimental results  Results of program slice ApplicationBefore program sliceAfter program sliceCompaction rate cvs-1.11.473331542.97% krb5-1.4.124392259.23% squid-2.4.STABLE318381327.18% wget-1.10.259310217.2 which-2.1618527.78% gzip-1.2.4961010.42% ncompress-4.2.415213.33% sendmail-8.7.541519747.47% wu-ftpd-2.4.2-beta-18-vr82218337.56%

13 Experimental results  Comparison between alias analysis based on points- to sets and demand-driven method and their cost (ms) ApplicationTraditional dataflow analysis (ms)Demand-driven dataflow analysis (ms)Improvement rate cvs-1.11.41632.651225.397.85% krb5-1.4.11558.31120.246.73% squid-2.4.STABLE3360.8967.2817.78% wget-1.10.2270.43175.938.74% which-2.16171.39124.5613.37% gzip-1.2.4122.4194.333.67% ncompress-4.2.463.0549.255.93% sendmail-8.7.51327.471111.3614.47% wu-ftpd-2.4.2-beta-18-vr8177.33119.837.30%

14 Conclusion and future work (1) combination of control flow and dataflow information (2) path verification  we describe a tool EMOPS which improves MOPS’s performance from two aspects: In EMOPS, as most of program analysis tools, the safety model for the temporal safety property has to be constructed manually. In our future work, we will try to make this process automatic through mining techniques to automatically get specification about the temporal safety property from source code.  Future work

15

Download ppt "Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Static Analysis for Security

Static Analysis for Security
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
A Survey of Runtime Verification Jonathan Amir 2004.

A Survey of Runtime Verification Jonathan Amir 2004.
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2) Hao Zheng U of South Florida.

Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, – ) Hao Zheng U of South Florida.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.

Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties.

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.

1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.

Similar presentations

Ads by Google