Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans These slides: Introduction to Static Analysis.

Published byMeagan Murphy Modified over 9 years ago

Similar presentations

Presentation on theme: "David Evans These slides: Introduction to Static Analysis."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/evans These slides: http://www.cs.virginia.edu/evans/talks/cs340-s04.ppt Introduction to Static Analysis

2 1 March 2004Static Analysis2 How do you decide if a system is dependable?

3 1 March 2004Static Analysis3 Validation: Dictionary Definition val·i·date 1.To declare or make legally valid. 2.To mark with an indication of official sanction. 3.To establish the soundness of; corroborate. Can we do any of these with software?

4 1 March 2004Static Analysis4 Sun’s Java License 5. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. …

5 1 March 2004Static Analysis5 Java’s License 2. RESTRICTIONS. … Unless enforcement is prohibited by applicable law, you may not modify, decompile, or reverse engineer Software. You acknowledge that Software is not designed, licensed or intended for use in the design, construction, operation or maintenance of any nuclear facility. Sun disclaims any express or implied warranty of fitness for such uses.

6 1 March 2004Static Analysis6 Software Validation Process designed to increase our confidence that a program works as intended For complex programs, cannot often make guarantees This is why typical software licenses don’t make any claims about their program working

7 1 March 2004Static Analysis7 Increasing Confidence Testing –Run the program on set of inputs and check the results Verification –Argue formally or informally that the program always works as intended Analysis –Poor programmer’s verification: examine the source code to increase confidence that it works as intended

8 1 March 2004Static Analysis8 Testing If all the test cases produce the correct results, you know that a particular execution of the program on each of the test cases produced the correct result Concluding that this means the program is correct is like concluding there are no fish in the river because you didn’t catch one! What makes a good test case?

9 1 March 2004Static Analysis9 Analysis Make claims about all possible paths by examining the program code directly, not executing it Use formal semantics of programming language to know what things mean Use formal specifications of procedures to know that they do

10 1 March 2004Static Analysis10 Example Software Properties Does what the customer wants Does what the programmer intends Doesn’t do anything dangerous Always eventually halts Never dereferences null Always opens a file before writing to it Never prints “3”

11 1 March 2004Static Analysis11 Hopelessness of Analysis It is impossible to correctly decide if any interesting property is true for an arbitrary program!

12 1 March 2004Static Analysis12 Halting Problem Can we write a program that takes any program as input and returns true if that program always halts, and returns false if it sometimes doesn’t halt. bool alwaysHalts (Program p) { … // returns true iff p will halt }

13 1 March 2004Static Analysis13 Informal Proof Suppose we could write alwaysHalts. Proof by contradiction: bool contradictHalts () { if (alwaysHalts (contradictHalts)) { while (true) ; // loop forever } else { return false; } What is alwaysHalts (contradictHalts) ?

14 1 March 2004Static Analysis14 Hopelessness of Analysis But this means, we can’t write a program that decides any other interesting property either: bool dereferencesNull (Program p) // EFFECTS: Returns true if p ever dereferences null, // false otherwise. bool alwaysHalts (Program p) { return (derefencesNull (new Program (“p (); *NULL;”))); }

15 1 March 2004Static Analysis15 Give Up and go to the Beach?

16 1 March 2004Static Analysis16 Compromises Only work for some programs Accept unsoundness and incompleteness False positives: sometimes an analysis tool will report warnings for a program, when the program is actually okay (incompleteness – can’t prove a property that is true) False negatives: sometimes an analysis tool will report no warnings for a program, even when the program violates properties it checks (unsoundness – proves a property that is not true)

17 1 March 2004Static Analysis17 Properties to Analyze Generic Properties –Dangerous Code C: memory leaks, dereferencing null, type mismatches, undefined behavior, etc. Concurrency: race conditions, deadlocks –Don’t need a specification (but it may help across procedure boundaries) Application-Specific Properties –Need some way of describing the properties we want

18 1 March 2004Static Analysis18 Splint Annotation-assisted lightweight analysis tool for C

19 1 March 2004Static Analysis19 A Gross Oversimplification Effort Required Low Unfathomable Formal Verifiers Bugs Detected none all Compilers Splint

20 1 March 2004Static Analysis20 (Almost) Everyone Likes Types Easy to Understand Easy to Use Quickly Detect Many Programming Errors Useful Documentation …even though they are lots of work! –1/4 of text of typical C program is for types

21 1 March 2004Static Analysis21 Limitations of Standard Types Type of reference never changes State changes along program paths Language defines checking rules System or programmer defines checking rules One type per reference Many attributes per reference

22 1 March 2004Static Analysis22 Type of reference never changes State changes along program paths Language defines checking rules System or programmer defines checking rules One type per reference Many attributes per reference Attributes Limitations of Standard Types

23 1 March 2004Static Analysis23 Approach Programmers add annotations (formal specifications) –Simple and precise –Describe programmers intent: Types, memory management, data hiding, aliasing, modification, null-ity, buffer sizes, security, etc. Splint detects inconsistencies between annotations and code –Simple (fast!) dataflow analyses

24 1 March 2004Static Analysis24 Sample Annotation: only Reference (return value) owns storage No other persistent (non-local) references to it Implies obligation to transfer ownership Transfer ownership by: –Assigning it to an external only reference –Return it as an only result –Pass it as an only parameter: e.g., extern void free (only void *); extern only char *gptr; extern only out null void *malloc (int);

25 1 March 2004Static Analysis25 Example 1int dummy (void) { 2 int *ip= (int *) malloc (sizeof (int)); 3 *ip = 3; 4 return *ip; 5 } extern only null void *malloc (int); in library Splint output: dummy.c:3:4: Dereference of possibly null pointer ip: *ip dummy.c:2:13: Storage ip may become null dummy.c:4:14: Fresh storage ip not released before return dummy.c:2:43: Fresh storage ip allocated

26 1 March 2004Static Analysis26 Security Flaws Reported flaws in Common Vulnerabilities and Exposures Database, Jan-Sep 2001. [Evans & Larochelle, IEEE Software, Jan 2002.] 190 Vulnerabilities Only 4 having to do with crypto 108 of them could have been detected with simple static analyses!

27 1 March 2004Static Analysis27 Example: Buffer Overflows Most commonly exploited security vulnerability –1988 Internet Worm –Still the most common attack Code Red exploited buffer overflow in IIS >50% of CERT advisories, 23% of CVE entries in 2001 Attributes describe sizes of allocated buffers Heuristics for analyzing loops Found several known and unknown buffer overflow vulnerabilities in wu-ftpd

28 1 March 2004Static Analysis28 Other Static Analysis Tools ESC/Java (DEC/Compaq/HP SRC) –Annotations describe invariants –Detects possible RunTime execptions Coverity SWAT (Coverity, Inc., was Stanford research project) –Statistical analysis of large code bases to find anomalies –Has found thousands of flaws in Linux PREfix (Microsoft) –No user annotations, but models library functions –Used on Windows, Office, etc. code base Heuristics to prioritize thousands of warnings

29 1 March 2004Static Analysis29 Summary Redundancy is good for dependability Static analysis tools can check redundant information is consistent Any useful property is impossible to decide soundly and completely (but, lots of useful checking can still be done) For more on Splint: www.splint.org http://www.cs.virginia.edu/evans/talks/cs340-s04.ppt

Download ppt "David Evans These slides: Introduction to Static Analysis."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
David Evans CS201j: Engineering Software? University of Virginia Computer Science Lecture 2: Java Semantics, Validation.

David Evans CS201j: Engineering Software? University of Virginia Computer Science Lecture 2: Java Semantics, Validation.
Testing and Quality Assurance

Testing and Quality Assurance
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
This Time Pointers (declaration and operations) Passing Pointers to Functions Const Pointers Bubble Sort Using Pass-by-Reference Pointer Arithmetic Arrays.

This Time Pointers (declaration and operations) Passing Pointers to Functions Const Pointers Bubble Sort Using Pass-by-Reference Pointer Arithmetic Arrays.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Cs2220: Engineering Software Class 5: Validation Fall 2010 University of Virginia David Evans.

Cs2220: Engineering Software Class 5: Validation Fall 2010 University of Virginia David Evans.
Joel Winstead CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Pointers and Memory Management.

Joel Winstead CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Pointers and Memory Management.
1 Static Testing: defect prevention SIM3302. 2 objectives Able to list various type of structured group examinations (manual checking) Able to statically.

1 Static Testing: defect prevention SIM objectives Able to list various type of structured group examinations (manual checking) Able to statically.
1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.

1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.
1 Lecture 7 Halting Problem –Fundamental program behavior problem –A specific unsolvable problem –Diagonalization technique revisited Proof more complex.

1 Lecture 7 Halting Problem –Fundamental program behavior problem –A specific unsolvable problem –Diagonalization technique revisited Proof more complex.
1 Lecture 7 Halting Problem –Fundamental program behavior problem –A specific unsolvable problem –Diagonalization technique revisited Proof more complex.

1 Lecture 7 Halting Problem –Fundamental program behavior problem –A specific unsolvable problem –Diagonalization technique revisited Proof more complex.
1CMSC 345, Version 4/04 Verification and Validation Reference: Software Engineering, Ian Sommerville, 6th edition, Chapter 19.

1CMSC 345, Version 4/04 Verification and Validation Reference: Software Engineering, Ian Sommerville, 6th edition, Chapter 19.
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.

CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.

©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.

Similar presentations

Ads by Google