Presentation is loading. Please wait.

Presentation is loading. Please wait.

Type Qualifiers: Lightweight Specifications to Improve Software Quality Jeffrey S. Foster.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Type Qualifiers: Lightweight Specifications to Improve Software Quality Jeffrey S. Foster."— Presentation transcript:

1 Type Qualifiers: Lightweight Specifications to Improve Software Quality Jeffrey S. Foster

2 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley2 Software Quality Today Even after large, extensive testing efforts, commercial software is shipped riddled with errors ("bugs"). -- PITAC Report to the President, February 24, 1999 -- Bill Gates, January 15, 2002 (highest priority for Microsoft) Trustworthy Computing is computing that is available, reliable, and secure as electricity, water services and telephony....No Trustworthy Computing platform exists today.

3 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley3 Conclusion? Software is buggy

4 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley4 So What? Software has always been buggy But now... –More people use software –Computers keep getting faster Speed/quality tradeoff changing –Cost of fixing bugs is high

5 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley5 Common Techniques for Software Quality Testing Code auditing Drawbacks: Expensive, difficult, error-prone, limited assurances What more can we do? –Tools that analyze source code –Techniques for avoiding programming mistakes

6 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley6 Tools Need Specifications put_tty_queue_nolock(c, tty); spin_lock_irqsave(&tty->read_lock, flags); spin_unlock_irqrestore(&tty->read_lock, flags); Goal: Add specifications to programs In a way that... –Programmers will accept Lightweight –Scales to large programs –Solves many different problems

7 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley7 Type Qualifiers Extend standard type systems (C, Java, ML) –Programmers already use types –Programmers understand types –Get programmers to write down a little more... intconstANSI C ptr( char)taintedSecurity vulnerabilities int  ptr( FILE) open File operations

8 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley8 Application: Format String Vulnerabilities I/O functions in C use format strings printf("Hello!");Hello! printf("Hello, %s!", name);Hello, name ! Instead of printf("%s", name); Why not printf(name);?

9 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley9 Format String Attacks Adversary-controlled format specifier name := printf(name);/* Oops */ –Attacker sets name = “%s%s%s” to crash program –Attacker sets name = “...%n...” to write to memory Lots of these bugs in the wild –New ones weekly on bugtraq mailing list –Too restrictive to forbid variable format strings

10 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley10 Using Tainted and Untainted Add qualifier annotations int printf(untainted char *fmt,...) tainted char *getenv(const char *) tainted = may be controlled by adversary untainted = must not be controlled by adversary

11 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley11 Subtyping void f(tainted int); untainted int a; f(a); void g(untainted int); tainted int b; f(b); OK f accepts tainted or untainted data Error g accepts only untainted data untainted  taintedtainted  untainted/ untainted  tainted

12 Demo of cqual http://www.cs.berkeley.edu/~jfoster

13 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley13 Framework Pick some qualifiers –and relation (partial order) among qualifiers Add a few explicit qualifiers to program Infer remaining qualifiers –and check consistency untainted int  tainted int readwrite FILE  read FILE

14 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley14 Type Qualifier Inference Two kinds of qualifiers –Explicit qualifiers: tainted, untainted,... –Unknown qualifiers:  0,  1,... Program yields constraints on qualifiers tainted   0  0  untainted Solve constraints for unknown qualifiers –Error if no solution

15 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley15 Adding Qualifiers to Types  ptr FILE int ptr char tainted 00 11 22 openptr( char)tainted int  ptr( FILE) open

16 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley16  ptr int f ptr inty z Constraint Generation ptr(int) f(x : int) = {... }y := f(z) 00 11 22 33 44 55 66 6  16  1 2  42  4 3 = 53 = 5

17 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley17 Constraints as Graphs 00 11 22 33 44 55 66 6  16  1 2  42  4 3 = 53 = 5 88 untainted tainted 77 99 Key idea: programs  constraints  graphs

18 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley18 Satisfiability via Graph Reachability 00 11 22 33 44 55 66 6  16  1 2  42  4 3 = 53 = 5 88 untainted tainted 77 99 Is there an inconsistent path through the graph?

19 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley19 Satisfiability via Graph Reachability 00 11 22 33 44 55 66 6  16  1 2  42  4 3 = 53 = 5 88 untainted tainted 77 99 Is there an inconsistent path through the graph?

20 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley20 Satisfiability via Graph Reachability 00 11 22 33 44 55 66 6  16  1 2  42  4 3 = 53 = 5 88 untainted tainted 77 99 tainted   6   1   3   5   7  untainted

21 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley21 Satisfiability in Linear Time Initial program of size n –Fixed set of qualifiers tainted, untainted,... Constraint generation yields O(n) constraints –Recursive abstract syntax tree walk Graph reachability takes O(n) time –Works for semi-lattices, discrete p.o., products

22 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley22 The Story So Far... Type qualifiers as subtyping system –Qualifiers live on the standard types –Programs  constraints  graphs Useful for a number of real-world problems Up next: State change and type qualifiers –A glimpse of a more complex system Followed by: Applications, experiments

23 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley23 Application: Locking Lock x; lock(x);...critical section... unlock(x); x : locked Lock x : unlocked Lock

24 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley24 Flow-Sensitive Type Qualifiers Standard type systems are flow-insensitive –Types don't change during execution /* x : int */ x :=...; /* x : int */ We need flow-sensitivity –Qualifiers may change during execution /* y : locked Lock */ y :=...; /* y : unlocked Lock */

25 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley25 Some Challenges How do we deal with aliasing? p = &x; *p =...; How do we make the analysis scale? –Too expensive to model full state at each point What happens when too much is aliased? –How does the programmer control aliasing?

26 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley26 Modeling State with Abstract Stores Track each variable's type at each point –Abstract stores map variables to types –...and types contain qualifiers { x : t, y : r, z : s,... } x :=...; { x : t', y : r, z : s,... } y :=...; { x : t', y : r', z : s,... }

27 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley27 What About Aliasing? Suppose p points to x: { x : q int, p : ptr(q int),... } *p :=...; { x : q int, p : ptr(q' int),... } –Variable names alone are insufficient Solution: Add a level of indirection –Stores map locations to types –Pointer types point to locations

28 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley28 Unification-Based Alias Analysis Initial flow-insensitive pass computes aliasing –Before flow-sensitive analysis –Simultaneous with standard type inference Types are not flow-sensitive, only qualifiers Associate a location  with each pointer –Unify locations that may alias *p : ptr  (int) *x : ptr  (int)... p = &x;  /* require  =  */

29 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley29 Using Locations in Stores Suppose p points to x: *p : ptr  (int) x : ptr  (int) *p :=...; {  : q' int,  : ptr(  ),... } { x : q int, p : ptr(q int),... }{  : q int,  : ptr(  ),... }

30 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley30 What About Scalability? Stores are too big {  : t,  : r, : s,... } –A program of size n may have n locations n program points  n 2 space to represent stores We need a more compact representation –Idea: represent differences between stores

31 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley31 Constructing Stores Three kinds of stores S S ::=  Unknown store | Alloc(S,  :  )Like store S, but  allocated with type  | Assign(S,  :  )Like store S, but update type of  with  Store constraints S  –Control flow from S to  Solution maps  to {  : t,  : r, : s,... } –Key: only write down necessary portion of soln.

32 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley32 Example Lock x; while (...) { lock(x); y :=... unlock(x); }

33 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley33 Example Lock x  ; while (...) { lock(x  ); y  :=... unlock(x  ); } 00 Alloc(  0,  : unlocked)   1 Alloc  : unlocked Lock Alloc(  0,  : unlocked)   1 11 Assign  : locked Lock Assn(Assn(Assn(  1,  : locked),  : q  ),  : unlocked)   1 check  1 (  ) : unlocked Lock Assign  : q  Assn(Assn(Assn(  1,  : locked),  : q  ),  : unlocked)   1 check  (  ) : locked Lock  Assign  : unlocked Lock Assn(Assn(Assn(  1,  : locked),  : q  ),  : unlocked)   1 22  1   2

34 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley34 Example 00 Alloc  : unlocked Lock 11 Assign  : locked Lock check  1 (  ) : unlocked Lock Assign  : q  Assign  : unlocked Lock check  (  ) : locked Lock  22 Alloc(  0,  : unlocked)   1 Assn(Assn(Assn(  1,  : locked),  : q  ),  : unlocked)   1  1   2

35 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley35 Lazy Constraint Resolution We don't care about most locations –only those that may be locked or unlocked –In this case, we will only do work for  Key to efficiency: When solving for store variables, only represent the minimum necessary

36 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley36 Constraint Resolution Example 00 Alloc  : unlocked Lock 11 Assign  : locked Lock check  1 (  ) : unlocked Lock Assign  : q  Assign  : unlocked Lock check  (  ) : locked Lock  22 green = {  : unlocked Lock } red = {  : locked Lock }

37 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley37 Constraint Resolution Example 00 Alloc  : unlocked Lock 11 Assign  : locked Lock check  1 (  ) : unlocked Lock Assign  : q  Assign  : unlocked Lock check  (  ) : locked Lock  22 green = {  : unlocked Lock } red = {  : locked Lock }

38 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley38 Constraint Resolution Example 00 Alloc  : unlocked Lock 11 Assign  : locked Lock check  1 (  ) : unlocked Lock Assign  : q  Assign  : unlocked Lock check  (  ) : locked Lock  22 green = {  : unlocked Lock } red = {  : locked Lock }

39 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley39 Constraint Resolution Example 00 Alloc  : unlocked Lock 11 Assign  : locked Lock check  1 (  ) : unlocked Lock Assign  : q  Assign  : unlocked Lock check  (  ) : locked Lock  22 green = {  : unlocked Lock } red = {  : locked Lock }

40 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley40 Constraint Resolution Example 00 Alloc  : unlocked Lock 11 Assign  : locked Lock check  1 (  ) : unlocked Lock Assign  : q  Assign  : unlocked Lock check  (  ) : locked Lock  22 green = {  : unlocked Lock } red = {  : locked Lock }

41 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley41 Constraint Resolution Example 00 Alloc  : unlocked Lock 11 Assign  : locked Lock check  1 (  ) : unlocked Lock Assign  : q  Assign  : unlocked Lock check  (  ) : locked Lock  22 green = {  : unlocked Lock } red = {  : locked Lock }

42 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley42 Constraint Resolution Example 00 Alloc  : unlocked Lock 11 Assign  : locked Lock check  1 (  ) : unlocked Lock Assign  : q  Assign  : unlocked Lock check  (  ) : locked Lock  22 green = {  : unlocked Lock } red = {  : locked Lock }

43 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley43 Constraint Resolution Example 00 Alloc  : unlocked Lock 11 Assign  : locked Lock check  1 (  ) : unlocked Lock Assign  : q  Assign  : unlocked Lock check  (  ) : locked Lock  22 green = {  : unlocked Lock } red = {  : locked Lock }

44 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley44 Constraint Resolution Example 00 Alloc  : unlocked Lock 11 Assign  : locked Lock check  1 (  ) : unlocked Lock Assign  : q  Assign  : unlocked Lock check  (  ) : locked Lock  22 green = {  : unlocked Lock } red = {  : locked Lock }

45 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley45 Constraint Resolution Example 00 Alloc  : unlocked Lock 11 Assign  : locked Lock check  1 (  ) : unlocked Lock Assign  : q  Assign  : unlocked Lock check  (  ) : locked Lock  22 green = {  : unlocked Lock } red = {  : locked Lock }

46 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley46 Constraint Resolution Example 00 Alloc  : unlocked Lock 11 Assign  : locked Lock check  1 (  ) : unlocked Lock Assign  : q  Assign  : unlocked Lock check  (  ) : locked Lock  22 green = {  : unlocked Lock } red = {  : locked Lock }

47 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley47 Strong Updates In  2, location  has qualifier q' –We've replaced  's qualifier –This is called a strong update –Location  is linear 00 Alloc  : q int Assign  : q' int 22 11

48 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley48 Weak Updates What if  allocated twice? –Only one is actually updated 00 Alloc  : q int Assign  : q' int 22 11 Alloc  : q int In  2, location  has qualifier q  q' –We've merged  's new and old qualifiers –This is called a weak update –Location  is non-linear

49 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley49 Recovering Linearity What do we do when aliasing too imprecise? –Can't strongly update non-linear locations New construct restrict –Programmer adds restrict to help the alias analysis restrict x = e1 in e2 –Roughly: within e2, accesses to *e1 must use x

50 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley50 Restrict Example Lock locks[n]; lock(&locks[i]);... unlock(&locks[i]);

51 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley51 Restrict Example Within scope of restrict, only mylock used –Can perform strong updates After restrict ends, weak update from mylock to locks[] Lock locks[n]; restrict mylock = &locks[i] in lock(mylock);... unlock(mylock);

52 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley52 More Features Low-cost polymorphism –Use effects to avoid merging stores at fn calls Some path-sensitivity –Different types on if-then-else branches

53 Demo

54 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley54 Qualifier Inference Architecture restrict annotations Flow-insensitive Type qualifiers Alias Analysis Effect inference Flow-sensitive Linearity inference Type qualifiers

55 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley55 Applications Published experiments: const Inference [Foster, Fahndrich, Aiken, PLDI99] Y2K bug detection [Elsman, Foster, Aiken, 1999] Format-string vulnerabilities [Shankar, Talwar, Foster, Wagner, Usenix Sec 01] Locking and stream operations [Foster, Terauchi, Aiken, PLDI 02] Linux Security Modules [Zhang, Edwards, Jaeger, (IBM Watson) Usenix Sec 02]

56 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley56 Results: Format String Vulnerabilities Analyzed 10 popular unix daemon programs Annotations shared across applications –One annotated header file for standard libraries Found several known vulnerabilities –Including ones we didn’t know about User interface critical

57 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley57 Results: Locking Looked for simple deadlocks in Linux 2.4.9 –Double acquires/releases Analyzed 892 files in linux/drivers individually Analyzed 513 modules (all linked files) –14 type errors  deadlocks –~41/892 fail to typecheck but appear correct –~196/513 fail to typecheck added restrict by hand to remove type errors due to aliasing for 64/196

58 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley58 Running Time: Locking

59 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley59 Memory Usage: Locking

60 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley60 Main Contributions Type qualifiers as specifications –With applications Scalable flow-sensitive qualifier inference –Lazy, constraint-based –Built with alias analysis, effect inference –Linearities for strong/weak updates restrict construct

61 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley61 (Some) Related Work Dataflow Analysis Bug-finding Tools –AST Toolkit [Weise, Crew] –Meta-Level Compilation [Engler et al] Type Systems –Label flow [Mossin] –Typestate [Strom, Yemini, Yellin] –Vault [Fähndrich, DeLine] –Cyclone [Grossman et al]

62 Type Qualifiers, October 7, 2002, Jeffrey S. Foster, UC Berkeley62 Conclusion Type qualifiers are specifications that... –Programmers will accept Lightweight Easy to use -- inference and visualization –Scale to large programs –Solve many different problems http://www.cs.berkeley.edu/~jfoster/cqual Includes source code and web demo of cqual

Download ppt "Type Qualifiers: Lightweight Specifications to Improve Software Quality Jeffrey S. Foster."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
Recursion CS 367 – Introduction to Data Structures.

Recursion CS 367 – Introduction to Data Structures.
Inpainting Assigment – Tips and Hints Outline how to design a good test plan selection of dimensions to test along selection of values for each dimension.

Inpainting Assigment – Tips and Hints Outline how to design a good test plan selection of dimensions to test along selection of values for each dimension.
INTRODUCTION Chapter 1 1. Java CPSC 1100 University of Tennessee at Chattanooga 2  Difference between Visual Logic & Java  Lots  Visual Logic Flowcharts.

INTRODUCTION Chapter 1 1. Java CPSC 1100 University of Tennessee at Chattanooga 2  Difference between Visual Logic & Java  Lots  Visual Logic Flowcharts.
Transition from C to C++ …and a Review of Basic Problem Solving.

Transition from C to C++ …and a Review of Basic Problem Solving.
Type Qualifiers CS 6340 1. 2 Software Quality Today Even after large, extensive testing efforts, commercial software is shipped riddled with errors (bugs).

Type Qualifiers CS Software Quality Today Even after large, extensive testing efforts, commercial software is shipped riddled with errors ("bugs").
October 2007Susan Eggers: SOSP Women's Workshop 1 Your Speaker in a Nutshell BA in Economics 1965 PhD University of CA, Berkeley 1989 Technical skills.

October 2007Susan Eggers: SOSP Women's Workshop 1 Your Speaker in a Nutshell BA in Economics 1965 PhD University of CA, Berkeley 1989 Technical skills.
Preventing bugs with pluggable type checking Michael D. Ernst University of Washington Object x)

Preventing bugs with pluggable type checking Michael D. Ernst University of Washington Object x)
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)

(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)
Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.

Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.
Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.

Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.

The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.
Elaboration or: Semantic Analysis Compiler Baojian Hua

Elaboration or: Semantic Analysis Compiler Baojian Hua
Cse321, Programming Languages and Compilers 1 6/19/2015 Lecture #18, March 14, 2007 Syntax directed translations, Meanings of programs, Rules for writing.

Cse321, Programming Languages and Compilers 1 6/19/2015 Lecture #18, March 14, 2007 Syntax directed translations, Meanings of programs, Rules for writing.
Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.
A Type-Checked Restrict Qualifier Jeff Foster OSQ Retreat May 9-10, 2001.

A Type-Checked Restrict Qualifier Jeff Foster OSQ Retreat May 9-10, 2001.
1 New Architectures Need New Languages A triumph of optimism over experience! Ian Watson 3 rd July 2009.

1 New Architectures Need New Languages A triumph of optimism over experience! Ian Watson 3 rd July 2009.

Similar presentations

Ads by Google