Presentation is loading. Please wait.

Presentation is loading. Please wait.

(A Somewhat Self-Indulgent) Splint Retrospective David Evans University of Virginia 25 October 2010.

Published byBernard Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "(A Somewhat Self-Indulgent) Splint Retrospective David Evans University of Virginia 25 October 2010."— Presentation transcript:

1 (A Somewhat Self-Indulgent) Splint Retrospective David Evans University of Virginia 25 October 2010

2 Splint Pre-History Pre-history 1973: Steve Ziles – algebraic specification of set 1975: John Guttag’s PhD thesis: algebraic specifications for abstract datatypes 1983: Jeanette Wing’s PhD thesis: two-tiered specifications – separate program interface from underlying semantics 1993: John Guttag/Jeanette Wing seminar Larch family specification, theorem prover interface specification languages (including LCL)

3 Formal verifiers are too expensive and time consuming… Effort Required Low Unfathomable Formal Verifiers Bugs Detected none all Compilers

4 Splint offers a low-effort Alternative Effort Required Low Unfathomable Formal Verifiers Bugs Detected none all Compilers Splint

5 1 March 2004Static Analysis5 Security Flaws Reported flaws in Common Vulnerabilities and Exposures Database, Jan-Sep 2001. [Evans & Larochelle, IEEE Software, Jan 2002.] 190 Vulnerabilities Only 4 having to do with crypto 108 of them could have been detected with simple static analyses!

6 (Almost) Everyone Hates Specifications Hard to understand Lots of strange notations Don’t match what the code does Can’t even run them

7 (Almost) Everyone Likes Types Easy to Understand Easy to Use Quickly Detect Many Programming Errors Useful Documentation …even though they are lots of work! – 1/4 of text of typical C program is for types

8 One type per reference System or programmer defines checking rules Language defines checking rules State changes along program paths Type of reference never changes Attributes Types Many attributes per reference

9 Approach Programmers add “annotations” (formal specifications) – Simple and precise – Describe programmers intent: Types, memory management, data hiding, aliasing, modification, null-ity, buffer sizes, security, etc. Splint detects inconsistencies between annotations and code – Simple (fast!) dataflow analyses – Intraprocedural: except for annotations – Unsound and incomplete

10 Sample Annotation: only Reference (return value) owns storage No other persistent (non-local) references to it Implies obligation to transfer ownership Transfer ownership by: – Assigning it to an external only reference – Return it as an only result – Pass it as an only parameter: e.g., extern void free (only void *); extern only char *gptr; extern only out null void *malloc (int);

11 Example 1int dummy (void) { 2 int *ip= (int *) malloc (sizeof (int)); 3 *ip = 3; 4 return *ip; 5 } extern only null void *malloc (int); in library Splint output: dummy.c:3:4: Dereference of possibly null pointer ip: *ip dummy.c:2:13: Storage ip may become null dummy.c:4:14: Fresh storage ip not released before return dummy.c:2:43: Fresh storage ip allocated

12 Example: Buffer Overflows Most commonly exploited security vulnerability – 1988 Internet Worm – Still the most common attack Code Red exploited buffer overflow in IIS >50% of CERT advisories, 23% of CVE entries in 2001 Attributes describe sizes of allocated buffers Heuristics for analyzing loops Found several known and unknown buffer overflow vulnerabilities in wu-ftpd

13 Adding Data Abstraction to C Warnings if code depends on the representation of an abstract type Biggest payoff in maintainability for minimal effort typedef /*@abstract@*/ /*@immutable@*/ char *mstring;

14 Defining Properties to Check Many properties can be described in terms of state attributes – A file is open or closed fopen: returns an open file fclose: open  closed fgets, etc. require open files – Reading/writing – must reset between certain operations

15 Defining Openness attribute openness context reference FILE * oneof closed, open annotations open ==> open closed ==> closed transfers open as closed ==> error closed as open ==> error merge open + closed ==> error losereference open ==> error "file not closed" defaults reference ==> open end Cannot abandon FILE in open state Object cannot be open on one path, closed on another

16 Specifying I/O Functions /*@open@*/ FILE *fopen (const char *filename, const char *mode); int fclose (/*@open@*/ FILE *stream) /*@ensures closed stream@*/ ; char *fgets (char *s, int n, /*@open@*/ FILE *stream);

17 Checking Simple dataflow analysis Intraprocedural – except uses annotations to alter state around procedure calls Integrates with other Splint analyses (e.g., nullness, aliases, ownership, etc.)

18 Splint Success/Failure splint.org visits (last 12 months) Academic impact: over 1000 citations (4 papers with > 200 each) Practice impact: still used, mostly in embedded software development (C) incorporated in popular Linux distributions, commercial products “Splint-inspired” tools are widely used: PREfix/PREfast, Fortify, FindBugs Failures: no slippery slope to more advanced uses of formal methods did not build a self-maintaining open source community

19 FindBugs http://findbugs.sourceforge.net Slide from Bill Pugh’s talk (2009)

20 Static/Dynamic Analysis: Past, Present and Future Verification Grand Challenge Workshop SRI Menlo Park 22 February 2005 David Evans University of Virginia Computer Science Original slides: with updates in orange boxes

21 Static/Dynamic Analysis21 The Past: Trends Lines of Source Code FL Proofs LCLint Splint “Loss of Ambition” “Faster Machines”

22 Static/Dynamic Analysis22 The Present Microsoft PREfix/fast, SLAM  SDV ASTRÉE (Cousot) – Airbus A380 Acquired by MathWorks, 2007 $35M in 2008 $41M in 2008 Acquired by IBM, 2009

23 Static/Dynamic Analysis23 The Present Static Analysis: good at checking generic requirements (types, buffer overflows, …) Dynamic Analysis: good at checking assertions inserted by programmer Bad at knowing what properties to check – Automatic inference techniques – Grand Challenge Repository No good techniques for combining static and dynamic analyses A few since 2005! Concolic Testing [Sen et al., 2007], SAGE (MSR) A few since 2005! Concolic Testing [Sen et al., 2007], SAGE (MSR)

24 The Future: Predictions for 2015 1.Software vendor will lose a major lawsuit because of a program bug 2.Someone will come up with a cool name like “VerXifiedProgramming” and sell a lot of books on program verification 3.No more buffer overflows in major commercial software – Brian Snow at 20 th Oakland conference (1999) predicted we will still be talking about buffer overflows in 2019 Static/Dynamic Analysis24 Has this happened? Still waiting…but 5 years left! SANS list 2010: Buffer overflows are still #3 but…not in OWASP top ten SANS list 2010: Buffer overflows are still #3 but…not in OWASP top ten

25 Static/Dynamic Analysis25 Predictions for 2015 4.Standard compilers prevent most concurrency problems 5.Programmers will still make dumb mistakes and resist change 6.“Good” CS degree programs will: – Incorporate verification into their first course – Include a course on identifying and checking program properties Still a long way off…but lots of work going on

26 Static/Dynamic Analysis26 Making Predictions Never make predictions, especially about the future. – Casey Stengel The best way to predict the future is to invent it. – Alan Kay, 1971 Our plan and our hope was that the next generation of kids would come along and do something better than Smalltalk around 1984 or so… But a variety of different things conspired together, and that next generation actually didn’t show up. – Alan Kay, 2005

Download ppt "(A Somewhat Self-Indulgent) Splint Retrospective David Evans University of Virginia 25 October 2010."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
The ideal of program correctness Tony Hoare CAVSeattleAugust 2006.

The ideal of program correctness Tony Hoare CAVSeattleAugust 2006.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
The ideal of program correctness Tony Hoare BudapestSeptember 2006.

The ideal of program correctness Tony Hoare BudapestSeptember 2006.
Joel Winstead CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Pointers and Memory Management.

Joel Winstead CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Pointers and Memory Management.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
Static Analysis for Security Amir Bazine Per Rehnberg.

Static Analysis for Security Amir Bazine Per Rehnberg.
CSCI 5801: Software Engineering

CSCI 5801: Software Engineering
CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.

CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.
Software Construction. Implementation System Specification Requirements Analysis Architectural Design Detailed Design Coding & Debugging Unit Testing.

Software Construction. Implementation System Specification Requirements Analysis Architectural Design Detailed Design Coding & Debugging Unit Testing.
Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,

Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Similar presentations

Ads by Google