1. HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA

2. © 2006 SofCheck, Inc. S. Tucker Taft, info@sofcheck.com 2 Outline  Advanced Static Analysis for Correctness and Security Checking  Formal Proof  Model Checking  Flow Analysis, Abstract Interpretation, Symbolic Execution  Future Challenges and Directions

3. © 2006 SofCheck, Inc. S. Tucker Taft, info@sofcheck.com 3 Advanced Static Analysis  Correctness and Security Checking -Not just “style” checking  Application-specific Correctness and Security relative to formal specification of application -Or  Application-independent Correctness / Meaningfulness / Run-Time-Failure-Free-ness / Security relative to language specification  Discovery of Properties?

4. © 2006 SofCheck, Inc. S. Tucker Taft, info@sofcheck.com 4 Formal Proof  Traditionally seen as proving (partial or total) correctness relative to formal application specification  Generally not fully automated, can get “stuck” on loops and recursion needing human intervention to suggest invariants -Progress is being made on achieving lights out proof systems  Reputation for only being able to handle small systems -Some > 100KLOC systems have now been “proved” correct  Hoare Verification Grand Challenge -Push the envelope on automated formal verification  Formal proof systems can be used to prove application-independent properties -Freedom from run-time exceptions

5. © 2006 SofCheck, Inc. S. Tucker Taft, info@sofcheck.com 5 Model Checking  Derived from work on hardware verification  Examines entire state space to verify predicate  Requires significant approximations to handle enormous software state space -E.g. Transform into Boolean program  Can have challenges in finding multiple kinds of errors in a single analysis  Can be used effectively on design-level model of system

6. © 2006 SofCheck, Inc. S. Tucker Taft, info@sofcheck.com 6 Flow Analysis  Many names -Control and Data Flow Analysis -Abstract Interpretation -Symbolic Execution  Strong heritage in optimizing compiler technology -Alias Analysis -Static Single Assignment -Value and Range Propagation -Scalable Interprocedural Analysis -Iterative algorithms to achieve fix point  Necessary and appropriate approximations  Sound or unsound (false positives vs. false negatives)  Flexibility allows orientation toward discovery of properties; e.g: -Discover preconditions of algorithms as-built that ensure no run-time failures -Discover maximum stack or heap usage

7. © 2006 SofCheck, Inc. S. Tucker Taft, info@sofcheck.com 7 Future Challenges and Directions  False Negatives and False Positives -Too many of either makes diagnostic test useless -Fighting against the Halting problem -Due to approximations and pragmatics  Loops and recursion make approximations inevitable  Example of Boring Positive: Failures due to overflow of 32-bit counter – Of course it depends on anticipated lifetime of individual invocation of system – Think Y2K  Incremental analysis -Handle larger, evolving systems in “developer” time -Provide what if analysis  Systems of systems -Multiple programming languages -Extra-language communication mechanisms  Static Timing and Performance Analysis -Automated identification of bottlenecks -Related to discovery of properties

8. © 2006 SofCheck, Inc. S. Tucker Taft, info@sofcheck.com 8 11 Cypress Drive Burlington, MA 01803-4907 Tucker Taft tucker.taft@sofcheck.com +1 (781) 750-8068 x220