Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finding bugs with system-specific static analysis Dawson Engler Ken Ashcraft, Ben Chelf, Andy Chou, Seth Hallem, Yichen Xie, Junfeng Yang Stanford University.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Finding bugs with system-specific static analysis Dawson Engler Ken Ashcraft, Ben Chelf, Andy Chou, Seth Hallem, Yichen Xie, Junfeng Yang Stanford University."— Presentation transcript:

1 Finding bugs with system-specific static analysis Dawson Engler Ken Ashcraft, Ben Chelf, Andy Chou, Seth Hallem, Yichen Xie, Junfeng Yang Stanford University This talk is about how you can find lots of bugs in real code by making compilers aggressively system specific

2 u Systems have many ad hoc correctness rules –“sanitize user input before using it”; “check permissions before doing operation X” –One error = compromised system u If we know rules, can check with extended compiler –Rules map to simple source constructs –Use compiler extensions to express them –Nice: scales, precise, statically find 1000s of errors Context: finding bugs w/ static analysis Reduced to using grep on millions of line of code, or documentation, hoping you can find all cases ent->data = kmalloc(..) if(!ent->data) free(ent); goto out; … out: return ent; Linux fs/proc/ generic.c GNU C compiler free checker “using ent after free!”

3 A bit more detail sm free_checker { state decl any_pointer v; decl any_pointer x; start: { kfree(v); } ==> v.freed ; v.freed: { v != x } || { v == x } ==> { /* do nothing */ } | { v } ==> { err(“Use after free!”); } ; } start v. freed error use(v) kfree(v) Simple. Have had freshman write these and post bugs to linux groups. Three parts: start state. Pattern, match does a transition, callouts. Scales with sophistication of analysis. System will kill variables, track when they are assigned to others. Simple. Have had freshman write these and post bugs to linux groups. Three parts: start state. Pattern, match does a transition, callouts. Scales with sophistication of analysis. System will kill variables, track when they are assigned to others. /* 2.4.1: fs/proc/generic.c */ ent->data = kmalloc(…) if(!ent->data) { kfree(ent); goto out; … out: return ent;

4 A quick analysis example foo(int *x) { } freeit(x); if(y) …… *x bar(int *y) { } freeit(y); *y freeit(int *z) { } kfree(z);

5 A quick analysis example foo(int *x) { } freeit(x); if(y) …… *x bar(int *y) { } freeit(y); *y freeit(int *z) { } kfree(z);

6 A quick analysis example foo(int *x) { } freeit(x); if(y) …… *x bar(int *y) { } freeit(y); *y freeit(int *z) { } kfree(z); { v:z.start->freed }

7 A quick analysis example foo(int *x) { } freeit(x); if(y) … … *x bar(int *y) { } freeit(y); *y freeit(int *z) { } kfree(z); { v:z.start->freed } { v:z.freed }

8 A quick analysis example foo(int *x) { } freeit(x); if(y) … … *x bar(int *y) { } freeit(y); *y freeit(int *z) { } kfree(z); { v:z.start->freed } { v:z.freed }

9 A quick analysis example foo(int *x) { } freeit(x); if(y) … … *x bar(int *y) { } freeit(y); *y freeit(int *z) { } kfree(z); { v:z.start->freed } { v:z.freed } ERROR: use after free!

10 A quick analysis example foo(int *x) { } freeit(x); if(y) … … *x bar(int *y) { } freeit(y); *y freeit(int *z) { } kfree(z); { v:z.start->freed } { v:z.freed } ERROR: use after free! { v:z.freed }

11 A quick analysis example foo(int *x) { } freeit(x); if(y) … … *x bar(int *y) { } freeit(y); *y freeit(int *z) { } kfree(z); { v:z.start->freed } { v:z.freed } ERROR: use after free! { v:z.freed }

12 A quick analysis example foo(int *x) { } freeit(x); if(y) … … *x bar(int *y) { } freeit(y); *y freeit(int *z) { } kfree(z); { v:z.start->freed } { v:z.freed } ERROR: use after free! { v:z.freed }

13 A quick analysis example foo(int *x) { } freeit(x); if(y) … … *x bar(int *y) { } freeit(y); *y freeit(int *z) { } kfree(z); { v:z.start->freed } { v:z.freed } ERROR: use after free! { v:z.freed } { v:y.freed }

14 u Metacompilation [OSDI’00,ASPLOS’00]: –Correctness rules map clearly to concrete source actions –Check by making compilers aggressively system-specific –Easy: digest sentence fragment, write checker. –Result: precise, immediate error diagnosis. Found errors in every system looked at u Next: A deeper look at a security checker[S&P’01] –Flags when untrusted input is not sanitized before use u Broader checking: Inferring rules [SOSP ’01] –Great lever: find errors without knowing truth u Some practical issues Talk Overview Given a set of uses of some interface you’ve built, you invariably see better ways of doing things. This gives you a way to articulate this knowlege and have the compiler do it for you automatically. Let one person do it. Easier to write code to check than it is to write code that obeys

15 “X before Y”: sanitize integers before use u Security: OS must check user integers before use u MC checker: Warn when unchecked integers from untrusted sources reach trusting sinks –Global; simple to retarget (text file with 2 srcs&12 sinks) –Linux: 125 errors, 24 false; BSD: 12 errors, 4 false array[v] while(i < v) … v.clean Use(v) v.tainted Syscall param Network packet copyin(&v, p, len) any<= v <= any memcpy(p, q, v) copyin(p,q,v) copyout(p,q,v) ERROR User supplies base functions, we check the rest (9/2 sources, 15/12 sinks). Interesting: written by an undergrad, no compiler course, probably has close to the world record of security holes found.

16 Some big, gaping security holes. u Remote exploit, no checks u Unexpected overflow: Good example: understood once by someone, writes checker and then imposed on everyone. /* 2.4.9/drivers/isdn/act2000/capi.c:actcapi_dispatch */ isdn_ctrl cmd;... while ((skb = skb_dequeue(&card->rcvq))) { msg = skb->data;... memcpy(cmd.parm.setup.phone,msg->msg.connect_ind.addr.num, msg->msg.connect_ind.addr.len - 1); /* 2.4.9-ac7/fs/intermezzo/psdev.c */ error = copy_from_user(&input, (char *)arg, sizeof(input)); input.path = kmalloc(input.path_len + 1, GFP_KERNEL); if ( !input.path ) return -ENOMEM; error =copy_from_user(input.path,user_path, input.path_len);

17 Results for BSD 2.8 & 4 months of Linux –All bugs released to implementors; most serious fixed Good example: understood once by someone, writes checker and then imposed on everyone. People know in the abstract that they have fixed sized integers; be hard pressed to find anyone that admitted otherwise. However, they prompty program as if they are arbitrarily sized. Linux BSD Violation Bug Fixed Bug Fixed Gain control of system18 15 3 3 Corrupt memory 43 17 2 2 Read arbitrary memory 19 14 7 7 Denaial of service 17 5 0 0 Minor 28 1 0 0 Total 125 52 12 12 Local bugs 109 12 Global bugs 16 0 Bugs from inferred ints 12 0 False positives 24 4 Number of checks ~3500 594

18 Many other checkers u Concurrency –Deadlock –Missing unlock or enable interrupt call –Prototype race detection u Memory errors –Null pointer bugs –Not checking allocation result –Using freed pointers –Not deallocating memory on return paths. u General temporal properties –A then B, A then NOT B, etc Security checkers –Unsafe uses of unvetted input: integers, strings, pointers –Exploitable errors u Statistically inferring –Paired functions –Functions that deallocate arguments –Functions that return null pointers –Variables that are unsafe –Which locks protect which variables u …

19 u Metacompilation –Correctness rules map clearly to concrete source actions –Check by making compilers aggressively system-specific –One person writes checker, imposed on all code u Next: Belief analysis –Using programmer beliefs to infer state of system, relevant rules u Managing false positives u Some experience Talk Overview Given a set of uses of some interface you’ve built, you invariably see better ways of doing things. This gives you a way to articulate this knowlege and have the compiler do it for you automatically. Let one person do it. Easier to write code to check than it is to write code that obeys

20 u Problem: what are the rules?!?! –100-1000s of rules in 100-1000s of subsystems. –To check, must answer: Must a() follow b()? Can foo() fail? Does bar(p) free p? Does lock l protect x? –Manually finding rules is hard. So don’t. Instead infer what code believes, cross check for contradiction u Intuition: how to find errors without knowing truth? –Contradiction. To find lies: cross-examine. Any contradiction is an error. –Deviance. To infer correct behavior: if 1 person does X, might be right or a coincidence. If 1000s do X and 1 does Y, probably an error. –Crucial: we know contradiction is an error without knowing the correct belief! Goal: find as many serious bugs as possible Reduced to playing where’s waldo with grep on millions of line of code, or documentation, hoping you can find all cases

21 u MUST beliefs: –Inferred from acts that imply beliefs code *must* have. –Check using internal consistency: infer beliefs at different locations, then cross-check for contradiction u MAY beliefs: could be coincidental –Inferred from acts that imply beliefs code *may* have –Check as MUST beliefs; rank errors by belief confidence. Cross-checking program belief systems x = *p / z; // MUST belief: p not null // MUST: z != 0 unlock(l); // MUST: l acquired x++; // MUST: x not protected by l // MAY: A() and B() // must be paired Specification = checkable redundancy. Can cross check code against itself for same effect. Others: that x was not already equal to value. B(); // MUST: B() need not // be preceded by A() A(); … B(); A(); … B(); A(); … B(); A(); … B();

22 Internal Consistency: finding security holes u Applications are bad: –Rule: “do not dereference user pointer ” –One violation = security hole –Detect with static analysis if we knew which were “bad” –Big Problem: which are the user pointers??? u Sol’n: forall pointers, cross-check two OS beliefs –“*p” implies safe kernel pointer –“copyin(p)/copyout(p)” implies dangerous user pointer –Error: pointer p has both beliefs. –Implemented as a two pass global checker u Result: 24 security bugs in Linux, 18 in OpenBSD –(about 1 bug to 1 false positive) First pass: mark all pointers treated as user pointers. Second pass: make sure they are never dereferenced.

23 u Still alive in linux 2.4.4: –Tainting marks “rt” as a tainted pointer, checking warns that rt is passed to a routine that dereferences it –3 other examples in same routine /* drivers/net/appletalk/ipddp.c:ipddp_ioctl */ case SIOFCINDIPDDPRT: if(copy_to_user(rt, ipddp_find_route(rt), sizeof(struct ipddp_route))) return –EFAULT; An example Marked as tainted because passed as the first argument to copy_to_user, which is used to access potentientially bad user pointers. Does global analysis to detect that the pointer will be dereferenced by ippd_…

24 u Common: multiple implementations of same interface. –Beliefs of one implementation can be checked against those of the others! u User pointer (3 errors): If one implementation taints its argument, all others must –How to tell? Routines assigned to same function pointer –More general: infer execution context, arg preconditions… –Interesting q: what spec properties can be inferred? Cross checking beliefs related abstractly –Parameter features: Can a param be null? What are legal values of integer parameter Return code: What are allowable error code to return & when? Execution context: Are interrupts off or on when code runs? When it exits? Does it run concurrently? –Parameter features: Can a param be null? What are legal values of integer parameter Return code: What are allowable error code to return & when? Execution context: Are interrupts off or on when code runs? When it exits? Does it run concurrently? foo_write(void *p, void *arg,…){ copy_from_user(p, arg, 4); disable(); … do something … enable(); return 0; } bar_write(void *p, void *arg,…){ *p = *(int *)arg; … do something … disable(); return 0; } If one does it right, we can cross check all: if one dev gets it right we are in great shape.

25 Belief analysis to find missed sources/sinks u Detect missed sinks: –Usual: (1) read tainted input, (2) check, (3) pass to sink –If we see (1) & (2) but not (3) implies missed sink Good example: understood once by someone, writes checker and then imposed on everyone. People know in the abstract that they have fixed sized integers; be hard pressed to find anyone that admitted otherwise. However, they prompty program as if they are arbitrarily sized. copy_from_user(&x, arg, sz); if(x >= MAX || x < 0) return –EINVALID; array[x] = 10; … copy_from_user(&x, arg, sz); if(x >= MAX || x < 0) return –EINVALID; … no dangerous use… ExpectedSuspicious

26 Belief analysis to find missed sources/sinks u Detect missed sinks: –Usual: (1) read tainted input, (2) check, (3) pass to sink –If we see (1) & (2) but not (3) implies missed sink u Detect missed sources of information –Similar to pointers: if variable used to specify user addr implies it is untrusted. Taint it and flag. Good example: understood once by someone, writes checker and then imposed on everyone. People know in the abstract that they have fixed sized integers; be hard pressed to find anyone that admitted otherwise. However, they prompty program as if they are arbitrarily sized. copy_from_user(&x, arg, sz); if(x >= MAX || x < 0) return –EINVALID; array[x] = 10; … array[arg] = 11; copy_from_user(&x, arg, sz); if(x >= MAX || x < 0) return –EINVALID; … no dangerous use… ExpectedSuspicious

27 Belief analysis to find missed sources/sinks u Detect missed sinks: –Usual: (1) read tainted input, (2) check, (3) pass to sink –If we see (1) & (2) but not (3) implies missed sink u Detect missed sources of information –Similar to pointers: if variable used to specify user addr implies it is untrusted. Taint it and flag. Good example: understood once by someone, writes checker and then imposed on everyone. People know in the abstract that they have fixed sized integers; be hard pressed to find anyone that admitted otherwise. However, they prompty program as if they are arbitrarily sized. copy_from_user(&x, arg, sz); if(x >= MAX || x < 0) return –EINVALID; array[x] = 10; … array[arg] = 11; copy_from_user(&x, arg, sz); if(x >= MAX || x < 0) return –EINVALID; … no dangerous use… ExpectedSuspicious

28 MAY beliefs u Separate fact from coincidence? General approach: –Assume MAY beliefs are MUST beliefs & check them –Count number of times belief passed check (success) –Count number of times belief failed check (fail) –Rank errors based on ratio of successes to failures u How to weigh evidence? –Treat as independent “binomial trials”. –Expected = n*p. Stddev= sqrt(n*p*(1-p)). Typical p =.8 –Compute degree of skew in terms of stddevs: Intuition: the more often x is obeyed correctly, the more likely it is to be a valid instance. Pr(k,n) = (n chose k) * p^k * (1-p)^(n-k) Z = (observed – expected) / stddev = (k – n*p) / sqrt(n*.8*.2)

29 Statistical: Deriving deallocation routines u Use-after free errors are horrible. –Problem: lots of undocumented sub-system free functions –Soln: derive behaviorally: pointer “p” not used after call “foo(p)” implies MAY belief that “foo” is a free function u Conceptually: Assume all functions free all arguments –(in reality: filter functions that have suggestive names) –Emit a “check” message at every call site. –Emit an “error” message at every use –Rank errors using z test statistic: z(checks, errors) –E.g., foo.z(3, 3) < bar.z(3, 1) so rank bar’s error first –Results: 23 free errors, 11 false positives foo(p); *p = x; foo(p); *p = x; foo(p); *p = x; bar(p); p = 0; bar(p); p = 0; bar(p); *p = x; Can cross-correlate: free is on error path, has dealloc in name, etc, bump up ranking. Foo has 3 errors, and 3 checks. Bar, 3 checks, one error. Essentially every passed check implies belief held, every error = not held

30 Recall: deterministic free checker sm free_checker { state decl any_pointer v; decl any_pointer x; start: { kfree(v); } ==> v.freed ; v.freed: { v != x } || { v == x } ==> { /* do nothing */ } | { v } ==> { err(“Use after free!”); } ; } Simple. Have had freshman write these and post bugs to linux groups. Three parts: start state. Pattern, match does a transition, callouts. Scales with sophistication of analysis. System will kill variables, track when they are assigned to others. Simple. Have had freshman write these and post bugs to linux groups. Three parts: start state. Pattern, match does a transition, callouts. Scales with sophistication of analysis. System will kill variables, track when they are assigned to others.

31 A statistical free checker sm free_checker local { state decl any_pointer v; decl any_fn_call call; decl any_pointer x; start: { call(v) } ==> v.freed, { mc_v_set_data(v, mc_identifier(call)); v_note(“checking [POP=$data]”, v); } ; v.freed: { v != x } || { v == x } ==> { /* do nothing */ } | { v } ==> { v_err(“Use after free! [FAIL=$data]”, v); } ; } Simple. Have had freshman write these and post bugs to linux groups. Three parts: start state. Pattern, match does a transition, callouts. Scales with sophistication of analysis. System will kill variables, track when they are assigned to others. Simple. Have had freshman write these and post bugs to linux groups. Three parts: start state. Pattern, match does a transition, callouts. Scales with sophistication of analysis. System will kill variables, track when they are assigned to others.

32 Ranked free errors Kfree[0]: 2623 checks, 60 errors, z= 48.87 2.4.1/drivers/sound/sound_core.c:sound_insert_unit: ERROR:171:178: Use-after-free of 's'! set by 'kfree‘... kfree_skb[0]: 1070 checks, 13 errors, z = 31.92 2.4.1/drivers/net/wan/comx-proto-fr.c:fr_xmit: ERROR:508:510: Use-after-free of 'skb'! set by 'kfree_skb‘... [FALSE] page_cache_release[0] ex=117, counter=3, z = 10.3 dev_kfree_skb[0]: 109 checks, 4 errors, z=9.67 2.4.1/drivers/atm/iphase.c:rx_dle_intr: ERROR:1321:1323: Use-after-free of 'skb'! set by 'dev_kfree_skb_any‘... cmd_free[1]: 18 checks, 1 error, z=3.77 2.4.1/drivers/block/cciss.c:667:cciss_ioctl: ERROR:663:667: Use-after-free of 'c'! set by 'cmd_free[1]' drm_free_buffer[1] 15 checks, 1 error, z = 3.35 2.4.1/drivers/char/drm/gamma_dma.c:gamma_dma_send_buffers: ERROR:Use-after-free of 'last_buf'! [FALSE] cmd_free[0] 18 checks, 2 errors, z = 3.2 Stratified error reports: rank all errors for different classes. See that there is a few clear ones, then a longer tail. At the top, 2.6K ok checks and 60 violations (2% error?) the third function was bogus. The next few were good, then there was a tail so we stopped. You decide how deeply to go down. Good for both discovery and for validation that you have everything.

33 A bad free error /* drivers/block/cciss.c:cciss_ioctl */ if (iocommand.Direction == XFER_WRITE){ if (copy_to_user(...)) { cmd_free(NULL, c); if (buff != NULL) kfree(buff); return( -EFAULT); } } if (iocommand.Direction == XFER_READ) { if (copy_to_user(...)) { cmd_free(NULL, c); kfree(buff); } } cmd_free(NULL, c); if (buff != NULL) kfree(buff);

34 Deriving “A() must be followed by B()” u “a(); … b();” implies MAY belief that a() follows b() –Programmer may believe a-b paired, or might be a coincidence. u Algorithm: –Assume every a-b is a valid pair (reality: prefilter functions that seem to be plausibly paired) –Emit “check” for each path that has a() then b() –Emit “error” for each path that has a() and no b() –Rank errors for each pair using the test statistic »z(foo.check, foo.error) = z(2, 1) u Results: 23 errors, 11 false positives. foo(p, …) bar(p, …); “check foo-bar” x(); y(); “check x-y” foo(p, …); … “error:foo, no bar!”

35 Checking derived lock functions u Evilest: u And the award for best effort: /* 2.4.1: drivers/sound/trident.c: trident_release: lock_kernel(); card = state->card; dmabuf = &state->dmabuf; VALIDATE_STATE(state); /* 2.4.0:drivers/sound/cmpci.c:cm_midi_release: */ lock_kernel(); if (file->f_mode & FMODE_WRITE) { add_wait_queue(&s->midi.owait, &wait);... if (file->f_flags & O_NONBLOCK) { remove_wait_queue(&s->midi.owait, &wait); set_current_state(TASK_RUNNING); return –EBUSY; … unlock_kernel();

36 u Traditional: –Use global analysis to track which routines return NULL –Problem: false positives when pre-conditions hold, difficult to tell statically (“return p->next”?) u Instead: see how often programmer checks. –Rank errors based on number of checks to non-checks. u Algorithm: Assume *all* functions can return NULL –If pointer checked before use, emit “check” message –If pointer used before check, emit “error” –Sort errors based on ratio of checks to errors u Result: 152 bugs, 16 false. Statistical: deriving routines that can fail p = foo(…); *p = x; p = bar(…); if(!p) return; *p = x; p = bar(…); if(!p) return; *p = x; p = bar(…); if(!p) return; *p = x; p = bar(…); *p = x; Can also use consistency: if a routine calls a routine that fails, then it to can fail. Similarly, if a routine checks foo for failure, but calls bar, which does not, is a type error. (In a sense can use witnesses: take good code and see what it does, reapply to unknown code)

37 The worst bug u Starts with weird way of checking failure: u So why are we looking for “seg_alloc”? /* ipc/shm.c:750:newseg: */ if (!(shp = seg_alloc(...)) return -ENOMEM; id = shm_addid(shp); /* 2.3.99: ipc/shm.c:1745:map_zero_setup */ if (IS_ERR(shp = seg_alloc(...))) return PTR_ERR(shp); static inline long IS_ERR(const void *ptr) { return (unsigned long)ptr > (unsigned long)-1000L; } int ipc_addid(…* new…) {... new->cuid = new->uid =…; new->gid = new->cgid = … ids->entries[id].p = new; int ipc_addid(…* new…) {... new->cuid = new->uid =…; new->gid = new->cgid = … ids->entries[id].p = new;

38 u Metacompilation Overview u Belief analysis: broader checking –Beliefs code MUST have: Contradictions = errors –Beliefs code MAY have: check as MUST beliefs and rank errors by belief confidence –Key feature: find errors without knowing truth u Next: Managing false positives u Some experience Talk Overview Given a set of uses of some interface you’ve built, you invariably see better ways of doing things. This gives you a way to articulate this knowlege and have the compiler do it for you automatically. Let one person do it. Easier to write code to check than it is to write code that obeys

39 Managing false positives u Deterministic ranking –Short distance over long, local over global. –Important over less important u System-specific: suppress impossible paths // Mark paths containing non-returning function as dead. start: { call(args) } ==> { if(mc_is_name(call, “panic”)) mc_kill_path(mc_stmt); } // or conditionals that check “user” for “kernel” | (v != 0) ==> { if(mc_name_contains(v, “kernel”)) mc_kill_true_path(mc_stmt); else if(mc_name_contains(v, “user”)) mc_kill_false_path(mc_stmt); }

40 Statistical ranking: z-ranking u Which analysis decisions to trust? –Valid analysis decision: many successful checks, one error –Classic false positive: few successful checks, many errors –Use the z-test statistic to rank! u How? –Decide what constitutes a success or failure –Group related failures and successes into eqv class eq[i] –Rank errors by z-rank of their class z(eq[i].s, eq[i].f) u Used to rank locking errors, freed pointers, security errors, …

41 Z-ranking Example: rank paired locks u Intraprocedural lock checker false positives –Analysis limits –Conflated role of semaphores u Apply z-ranking: Failure: acquisition, no release Success: correct release Related: all messages for same acquisition site contrived(lock_t l) { spin_lock(l); if(!(p = malloc(…)) return -ENOMEM; spin_unlock(l); Z S:F Bugs:FP Cum Z Cum Rand 4.9 5:1 1:0 1:0 0:1 4.3 4:1 2:1 3:1 1:3 2.7 2:1 7:5 10:6 2:14 2.1 2:2 2:0 12:6 2:16 1.5 1:1 3:15 15:21 5:31 … -.4 0:1 0:93 18:118 12:124

42 Some cursory experiences u Bugs are everywhere –Initially worried we’d resort to historical data… –100 checks? You’ll find bugs (if not, bug in analysis) –People don’t fix all the bugs u Often simple analysis works well. –Easy for programmer? Easy for analysis. Hard for analysis? Hard for person. u Soundness not needed for good results –Most extreme: Doesn’t compile? Delete it. u Finding errors often easy, saying why is hard –Have to track and articulate all reasons. u More analysis a mixed blessing –Has to be replicated by programmer. Exhausting. We demote errors for each analysis step.

43 Two big open questions u How to find the most important bug? –Main metric is bug counts or type –How to flag the 2-3 bugs that will really kill system? u Do static tools really help? Bugs found Bugs that mattered The hope Bugs found Bugs that mattered The null hypothesis Bugs found Bugs that mattered A Possibility

44 u Tool-based checking –PREfix/PREfast –Slam –ESP u Higher level languages –TypeState, Vault –Foster et al’s type qualifier work. u Derivation: –Houdini to infer some ESC specs –Ernst’s Daikon for dynamic invariants –Larus et al dynamic temporal inference u Deeper checking –Bandera Related work

45 u MC: Effective static analysis of real code –Write small extension, apply to code, find 100s-1000s of bugs in real systems –Result: Static, precise, immediate error diagnosis u Belief analysis: broader checking –Using programmer beliefs to infer state of system, relevant rules –Key feature: find errors without knowing truth u Managing false positives –System-specific techniques –Use statistical analysis Summary

Download ppt "Finding bugs with system-specific static analysis Dawson Engler Ken Ashcraft, Ben Chelf, Andy Chou, Seth Hallem, Yichen Xie, Junfeng Yang Stanford University."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Chapter 17 vector and Free Store John Keyser’s Modifications of Slides By Bjarne Stroustrup www.stroustrup.com/Programming.

Chapter 17 vector and Free Store John Keyser’s Modifications of Slides By Bjarne Stroustrup
R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.

R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.
CS 450 Module R4. R4 Overview Due on March 11 th along with R3. R4 is a small yet critical part of the MPX system. In this module, you will add the functionality.

CS 450 Module R4. R4 Overview Due on March 11 th along with R3. R4 is a small yet critical part of the MPX system. In this module, you will add the functionality.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Bugs as deviant behavior – Inferring errors in systems code D. Engler, D. Chen, S. Hallem, B. Chelf,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Bugs as deviant behavior – Inferring errors in systems code D. Engler, D. Chen, S. Hallem, B. Chelf,
CS16 Week 2 Part 2 Kyle Dewey. Overview Type coercion and casting More on assignment Pre/post increment/decrement scanf Constants Math library Errors.

CS16 Week 2 Part 2 Kyle Dewey. Overview Type coercion and casting More on assignment Pre/post increment/decrement scanf Constants Math library Errors.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
/ PSWLAB RacerX: Effective, Static Detection of Race Conditions and Deadlocks by Dawson Engler & Ken Ashcraft (published in SOSP03) Hong,Shin.

/ PSWLAB RacerX: Effective, Static Detection of Race Conditions and Deadlocks by Dawson Engler & Ken Ashcraft (published in SOSP03) Hong,Shin.
Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.

Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.
How to find lots of bugs by checking program belief systems Dawson Engler David Chen, Seth Hallem, Ben Chelf, Andy Chou Stanford University This talk I.

How to find lots of bugs by checking program belief systems Dawson Engler David Chen, Seth Hallem, Ben Chelf, Andy Chou Stanford University This talk I.
1 1 Lecture 4 Structure – Array, Records and Alignment Memory- How to allocate memory to speed up operation Structure – Array, Records and Alignment Memory-

1 1 Lecture 4 Structure – Array, Records and Alignment Memory- How to allocate memory to speed up operation Structure – Array, Records and Alignment Memory-
Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Dawson Engler, Benjamin Chelf, Andy Chow, Seth Hallem Computer Systems.

Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Dawson Engler, Benjamin Chelf, Andy Chow, Seth Hallem Computer Systems.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.

From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
From Module Breakdown to Interface Specifications Completing the architectural design of Map Schematizer.

From Module Breakdown to Interface Specifications Completing the architectural design of Map Schematizer.
MULTIVIE W Checking System Rules Using System-Specific, Program-Written Compiler Extensions Paper: Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem.

MULTIVIE W Checking System Rules Using System-Specific, Program-Written Compiler Extensions Paper: Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem.

Similar presentations

Ads by Google