Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unleashing the Power of Static Analysis Manuvir Das Principal Researcher Center for Software Excellence Microsoft Corporation.

Published byAdrian Bruce Modified over 9 years ago

Similar presentations

Presentation on theme: "Unleashing the Power of Static Analysis Manuvir Das Principal Researcher Center for Software Excellence Microsoft Corporation."— Presentation transcript:

1 Unleashing the Power of Static Analysis Manuvir Das Principal Researcher Center for Software Excellence Microsoft Corporation

2 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’062 Talking the talk … Static analysis tools can make a huge impact on how software is engineered The trick is to properly balance research with a focus on deployment The Center for Software Excellence (CSE) at Microsoft is doing this (well?) today

3 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’063 … walking the walk CSE impact on Windows Vista –Found 100,000+ fixed bugs –Added 500,000+ specifications –Answered thousands of emails We are program analysis researchers –But we measure our success in adoption –And we feel the pain of the customer

4 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’064 Context The Nail (Windows) –Manual processes do not scale to real software The Hammer (Static Analysis) –Automated methods for searching programs The Carpenter (CSE) –A systematic, heavily automated, approach to improving the quality of software

5 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’065 What is static analysis? grep == static analysis static analysis == grep syntax trees, CFGs, alias analysis, dataflow analysis, dependency analysis, binary analysis, symbolic evaluation, model checking, specifications, …

6 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’066 Roadmap Engineering process Static analysis tools Lessons

7 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’067 Engineering process

8 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’068 Build Architecture Main Branch Team Branch Desktop Team Branch Team Branch Desktop ……

9 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’069 Quality Gates Lightweight tools –run on developer desktop & feature branches –issues tracked within the program artifacts Enforced by rejection at gate Main Branch Team Branch Desktop Team Branch Team Branch Desktop ……

10 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0610 Central Bug Filing Heavyweight tools –run on main branch –issues tracked through a central bug database Enforced by bug cap Team Branch Desktop Team Branch Team Branch Desktop …… Main Branch

11 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0611 Static analysis tools

12 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0612 1. Code correctness Reject code with null pointer dereferences, uninitialized memory, resource leaks, … Inter-procedural simulation – PREfix –Process the call graph bottom-up –Perform symbolic evaluation on a fixed number of paths through every function –Build incomplete symbolic function models –Use symbolic state to avoid infeasible paths –Report defects when bad states arise

13 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0613 2. Integer overflow Reject code with potential security holes due to unchecked integer arithmetic Construct an expression tree for every interesting expression in the code Ensure that every operation is checked size1 = … size2 = … data = MyAlloc(size1+size2); for (i = 0; i < size1; i++) data[i] = …

14 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0614 3. Architecture layering Reject code that breaks the component architecture of the product –No dependencies from lower layers of the system to higher layers of the system Dependency analysis tool – MaX –Construct a graph of dependencies between binaries (DLLs) in the system Obvious : call graph Subtle : registry, RPC, …

15 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0615 4. Security Problem –A security issue is discovered through internal testing, or in the field (MSRC, Watson) Diagnosis –Identify the code pattern that caused the bug Detection (defect by example) –Specify the code pattern formally in OPAL –Use checkers to find instances of the pattern

16 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0616 RegKey leak defect status = RegOpenKeyExW( HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib", 0L, KEY_READ, & hLocalKey); if (status == ERROR_SUCCESS) bLocalKey = TRUE; … block of code that uses hLocalKey … if (bLocalKey) CloseHandle(hLocalKey); Bug: registry key is closed by calling the generic CloseHandle API –May fail to clean up some data that is specific to registry key data structures

17 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0617 RegKey leak code pattern Search for code paths along which a registry key is opened, and then closed using the generic CloseHandle API Specification: –define a sequence of relevant actions –e.g. A(k)…B(h) –define the actions (e.g. A, B, k and h)

18 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0618 RegKey leak specification defect RegKeyCloseHandle { // A(x)…B(x) sequence OpenKey(key);CloseHandle(handle) message “Registry key closed using generic CloseHandle API!” // A(x) pattern OpenKey(key) /RegOpenKeyEx[AW](@\d+)?$/ (_,_,_,_,&key) where (return == 0) // B(x) pattern CloseHandle(handle) /CloseHandle(@\d+)?$/ (handle) } This is the entire specification effort for the codebase

19 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0619 Safety properties void main () { if (dump) fil = fopen(dumpFile,”w”); if (p) x = 0; else x = 1; if (dump) fclose(fil); } Closed Opened Error Open Print Open Close Print/Close * void main () { if (dump) Open; if (p) x = 0; else x = 1; if (dump) Close; }

20 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0620 ESP Symbolic state: FSA + execution state Branch points: Does execution state uniquely determine branch direction? –Yes: process appropriate branch –No: split & update state, and process both branches Merge points: Do states agree on FSA? –Yes: merge states –No: process states separately

21 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0621 ESP example [Opened|dump=T] [Closed] [Closed|dump=T] [Closed|dump=F] [Opened|dump=T,p=T,x=0] [Opened|dump=T,p=F,x=1] [Opened|dump=T] [Closed|dump=F] [Closed] entry dump p x = 0x = 1 Open Close exit dump T T T F F F

22 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0622 5. Concurrency Deadlocks, data races, orphan locks, … Sequential analysis of lock sequences at every program point of every thread –Cycle in lock ordering: deadlock –Access without consistent locking: data race –Exit while holding critical section: orphan lock! Inter-procedural dataflow analysis – ESPC –Instance of ESP – lock sequences control merge –Understands Win32 locking semantics

23 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0623 6. Buffer overruns Defect: a buffer access index is out of bounds Detection: check that index is within bounds Problem: where are the buffer bounds stored? –Tools must track buffer size from allocation to access –Exhaustive global analysis is infeasible Solution: turn global analysis into local analysis –Standard Annotation Language (SAL) –Specify buffer sizes at function interfaces –Perform modular (one function at a time) analysis

24 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0624 SAL example 1 wcsncpy [precondition] destination buffer must have enough allocated space wchar_t wcsncpy ( wchar_t *dest, wchar_t *src, size_t num ); wchar_t wcsncpy ( __pre __notnull __pre __writableTo(elementCount(num)) wchar_t *dest, wchar_t *src, size_t num ); wchar_t wcsncpy ( __out_ecount(num) wchar_t *dest, wchar_t *src, size_t num);

25 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0625 SAL example 2 memcpy void * memcpy ( void * dest, void * src, size_t num ); void * memcpy ( __pre __notnull __pre __writableTo(byteCount(num)) __post __readableTo(byteCount(num)) void * dest, __pre __notnull __pre __deref __readonly __pre __readableTo(byteCount(num)) void * src, size_t num ); void * memcpy ( __out_bcount_full(num) void * dest, __in_bcount(num) void * src, size_t num );

26 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0626 SAL primer Usage example: a 0 RT func(a 1 … a n T par) a i : SAL annotation Interface contracts –pre, post, object invariants Basic properties –null, readonly, valid, range, … Buffer extents –writableTo(size), readableTo(size) Buffer size formats –(byte|element)Count, endPointer, sentinel, …

27 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0627 SAL ecosystem espX/PREfast/… : Use annotations to find defects SALstats : Identify parameters that should be annotated MIDL Compiler : Translate MIDL directives to annotations SALinfer : Infer annotations using global static analysis

28 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0628 SALinfer example size(tmp,200) size(buf,len) size(buf2,len) size(buf2,len2) size(buf,len) write(buf) write(buf2) void work() { int tmp[200]; wrap(tmp, 200); } void wrap(int *buf, int len) { int *buf2 = buf; int len2 = len; zero(buf2, len2); } void zero(int *buf, int len) { int i; for(i = 0; i <= len; i++) buf[i] = 0; }

29 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0629 SALinfer example void work() { int tmp[200]; wrap(tmp, 200); } void wrap(__out_ecount(len) int *buf, int len) { int *buf2 = buf; int len2 = len; zero(buf2, len2); } void zero(__out_ecount(len) int *buf, int len) { int i; for(i = 0; i <= len; i++) buf[i] = 0; }

30 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0630 espX example void zero(__out_ecount(len) int *buf, int len) { int i; for(i = 0; i <= len; i++) buf[i] = 0; } Subgoal 2: i < sizeOf(buf) assume(sizeOf(buf) == len) for(i = 0; i <= len; i++) buf[i] = 0; inv (i >= 0 && i <= len) Constraints: (C1) i >= 0 (C2) i <= len (C3) sizeOf(buf) == len Goal: i >= 0 && i < sizeOf(buf) Subgoal 1: i >=0 by (C1) Warning: Cannot validate buffer access. Overflow occurs when i == len Subgoal 2: i < len by (C3)Subgoal 2: i < len FAIL assert(i >= 0 && i < sizeOf(buf))

31 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0631 SAL impact Windows Vista –Mandate: Annotate 100,000 mutable buffers –Developers annotated 500,000+ parameters –Developers fixed 20,000+ bugs Office 12 –Developers fixed 6,500+ bugs Visual Studio, SQL, Exchange, … External customers –CRT + Windows headers SAL annotated –SAL aware compiler shipped with VS 2005

32 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0632 SAL evaluation Vista – mutable string buffer parameters Annotation cost: [–] 100,000 parameters required annotations [+] 4 out of 10 automatic Defect detection value: [+] 1 buffer overrun exposed per 20 annotations Locked in progress: [+] 9.4 out of 10 buffer accesses validated

33 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0633 Lessons

34 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0634 Forcing functions for change Gen 1: Manual Review –Too many code paths to think about Gen 2: Massive Testing –Inefficient detection of simple errors Gen 3: Global Program Analysis –Delayed results Gen 4: Local Program Analysis –Lack of calling context limits accuracy Gen 5: Specifications

35 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0635 Acceptance of specifications Developers like incremental specs –No specifications, no bugs Developers like useful specs –More specifications, more real bugs Developers like informative specs –Make implicit information explicit –Avoid repeating what the code says

36 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0636 Defect detection myths Soundness matters –sound == find only real bugs –The real measure is Fix Rate Completeness matters –complete == find all the bugs –There will never be a complete analysis Developers only fix real bugs –Developers fix bugs that are easy to fix, and –Unlikely to introduce a regression

37 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0637 Theory is important Fundamental ideas have been crucial –Hoare logic –Dataflow analysis –Abstract interpretation –Graph algorithms –Context-sensitive analysis –Alias analysis

38 8/17/06Unleasing Static Analysis, Manuvir Das, SAS ’0638 Summary Static analysis tools can make a huge impact on how software is engineered The trick is to properly balance research with a focus on deployment The Center for Software Excellence (CSE) at Microsoft is doing this (well?) today

39 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. http://www.microsoft.com/cse http://research.microsoft.com/manuvir

Download ppt "Unleashing the Power of Static Analysis Manuvir Das Principal Researcher Center for Software Excellence Microsoft Corporation."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Formal Specifications on Industrial Strength Code: From Myth to Reality Manuvir Das Principal Researcher Center for Software Excellence Microsoft Corporation.

Formal Specifications on Industrial Strength Code: From Myth to Reality Manuvir Das Principal Researcher Center for Software Excellence Microsoft Corporation.
02 | Define an Effective End-to-End Software Development Lifecycle Steven Borg | Co-founder & Strategist, Northwest Cadence Anthony Borton | ALM Consultant,

02 | Define an Effective End-to-End Software Development Lifecycle Steven Borg | Co-founder & Strategist, Northwest Cadence Anthony Borton | ALM Consultant,
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.

Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.
API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.

API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.
Final exam week Three things on finals week: –final exam –final project presentations –final project report.

Final exam week Three things on finals week: –final exam –final project presentations –final project report.
Software Factory Assembling Applications with Models, Patterns, Frameworks and Tools Anna Liu Senior Architect Advisor Microsoft Australia.

Software Factory Assembling Applications with Models, Patterns, Frameworks and Tools Anna Liu Senior Architect Advisor Microsoft Australia.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.

Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
ESP: Program Verification Of Millions of Lines of Code Manuvir Das Researcher PPRC Reliability Team Microsoft Research.

ESP: Program Verification Of Millions of Lines of Code Manuvir Das Researcher PPRC Reliability Team Microsoft Research.

Similar presentations

Ads by Google