Glenn Ammons Ras Bodík Jim Larus Univ. of Wisconsin Univ. of Wisconsin Microsoft Research Mining Specifications (lots of) code  specifications of correctness.

Slides:



Advertisements
Similar presentations
Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
A Survey of Runtime Verification Jonathan Amir 2004.
Mining Specifications Glenn Ammons, Dept. Computer Science University of Wisconsin Rastislav Bodik, Computer Science Division University of California,
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Equivalence of Extended Symbolic Finite Transducers Presented By: Loris D’Antoni Joint work with: Margus Veanes.
1 Regression-Verification Benny Godlin Ofer Strichman Technion.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture4: Regular Expressions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.
Formal Methods. Importance of high quality software ● Software has increasingly significant in our everyday activities - manages our bank accounts - pays.
Synergy: A New Algorithm for Property Checking
The Theory of NP-Completeness
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Synthesis of Interface Specifications for Java Classes Rajeev Alur University of Pennsylvania Joint work with P. Cerny, G. Gupta, P. Madhusudan, W. Nam,
1 Foundations of Software Design Lecture 23: Finite Automata and Context-Free Grammars Marti Hearst Fall 2002.
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
Automatic Extraction of Object-Oriented Component Interfaces John Whaley Michael C. Martin Monica S. Lam Computer Systems Laboratory Stanford University.
Chapter 11: Limitations of Algorithmic Power
1 Today More on random testing + symbolic constraint solving (“concolic” testing) Using summaries to explore fewer paths (SMART) While preserving level.
Regular Expressions and Automata Chapter 2. Regular Expressions Standard notation for characterizing text sequences Used in all kinds of text processing.
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.
Called as the Interval Scheduling Problem. A simpler version of a class of scheduling problems. – Can add weights. – Can add multiple resources – Can ask.
Mining Windows Kernel API Rules Jinlin Yang 09/28/2005CS696.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Static and Dynamic Analysis at JPL Klaus Havelund.
1 Unit 1: Automata Theory and Formal Languages Readings 1, 2.2, 2.3.
Introduction to Formal Methods Based on Jeannette M. Wing. A Specifier's Introduction to Formal Methods. IEEE Computer, 23(9):8-24, September,
Bug Localization with Machine Learning Techniques Wujie Zheng
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.
DEBUGGING. BUG A software bug is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected.
Strauss: A Specification Miner Glenn Ammons Department of Computer Sciences University of Wisconsin-Madison.
TRANSITION DIAGRAM BASED LEXICAL ANALYZER and FINITE AUTOMATA Class date : 12 August, 2013 Prepared by : Karimgailiu R Panmei Roll no. : 11CS10020 GROUP.
Glenn Ammons Ras Bodík Jim Larus Univ. of Wisconsin Univ. of Wisconsin Microsoft Research Mining Specifications (lots of) code  specifications.
1 Introduction to Software Testing. Reading Assignment P. Ammann and J. Offutt “Introduction to Software Testing” ◦ Chapter 1 2.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.
CSCI1600: Embedded and Real Time Software Lecture 28: Verification I Steven Reiss, Fall 2015.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
September 1999Compaq Computer CorporationSlide 1 of 16 Verification of cache-coherence protocols with TLA+ Homayoon Akhiani, Damien Doligez, Paul Harter,
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
Deriving formal specifications (almost) automatically Glenn Ammons and Ras Bodik and James R. Larus.
Week 6 MondayTuesdayWednesdayThursdayFriday Testing III Reading due Group meetings Testing IVSection ZFR due ZFR demos Progress report due Readings out.
Testing Overview Software Reliability Techniques Testing Concepts CEN 4010 Class 24 – 11/17.
CS 404Ahmed Ezzat 1 CS 404 Introduction to Compiler Design Lecture 1 Ahmed Ezzat.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Strauss: A Specification Miner
Programming Fundamentals (750113) Ch1. Problem Solving
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
Presentation transcript:

Glenn Ammons Ras Bodík Jim Larus Univ. of Wisconsin Univ. of Wisconsin Microsoft Research Mining Specifications (lots of) code  specifications of correctness

2 Motivation: why specifications? Verification tools find bugs early make guarantees scale with programs need specifications verifier Bugs! program Specifications program

3 Language-usage specifications verifier Bugs! program array accesses memory allocation type safety... program Easy to write, big payoff

4 Library-usage specifications verifier program cut-and-paste (X11) network server (socket API) device drivers (kernel API)... program Harder to write, smaller payoff Bugs!

5 Program specifications verifier program symbol table well-formed IR well-formed... Hardest to write, smallest payoff Bugs!

6 Solution: specification mining Specification mining gleans specifications from artifacts of program development: From programs (static)? From executions of test cases (dynamic)? From other artifacts?

7 Mining from traces Advantages: No infeasible paths Pointer/alias analysis is easy Few bugs, as program passes its tests Common behavior is correct behavior... socket(domain = 2, type = 1, proto = 0, return = 7) accept(so = 7, addr = 0x40, addr_len = 0x50, return = 8) write(so = 8, buf = 0x100, len = 23, return = 23) read(so = 8, buf = 0x100, len = 12, return = 12) close(so = 8, return = 0) close(so = 7, return = 0)...

8 Output: a specification socket(return = X) accept(so = X, return = Y) close(so = Y)close(so = X) read(so = Y) write(so = Y) Specification says what programs should do: Temporal dependences ( accept follows socket ) Data dependences ( accept input is socket output) start end

9 How we mine specifications extract scenarios standardize PFSA learner... socket(domain = 2, type = 1, proto = 0, return = 7))... ACEGBACEGB ACEGBACEGB ACEGBACEGB socket(domain = 2, type = 1, proto = 0, return = 7))... socket(domain = 2, type = 1, proto = 0, return = 7))... socket(...) accept(...) read(...) write(...) close(...) socket(...) accept(...) read(...) write(...) close(...) socket(...) accept(...) read(...) write(...) close(...) Traces Scenarios (dep. graphs) Strings postprocess Specification PFSA socket(return = X) accept(so = X, return = Y) close(so = Y)close(so = X) read(so = Y) write(so = Y) start end.. A B E F C D start end

10 Outline of the talk The specification mining problem Our specification mining system Annotating traces with dependences Extracting and standardizing scenarios Probabilistic learning and postprocessing Experimental results Related work

11 An impossible problem C (all correct traces) T (training traces) Find a Turing machine that generates C, given T. I (all traces) Unsolvable: No restrictions on C No connection between C and T Simple variants are also undecidable [Gold67]

12 A simpler problem Find a PFSA that generates an approximation of P. 0 1 P a probability distribution Probability Correct Noise

13 A simpler problem Find a PFSA that generates an approximation of P. All scenarios 0 1 P a probability distribution over all scenarios Probability Correct scenarios Noise

14 A simpler problem Find a PFSA that generates an approximation of P. Tractable, plus Scenarios are small Noise handled Finite-state Weights useful for postprocessing All scenarios 0 1 P a probability distribution over all scenarios Probability Correct scenarios Noise

15 Outline of the talk The specification mining problem Our specification mining system Annotating traces with dependences Extracting and standardizing scenarios Probabilistic learning and postprocessing Verifying traces Experimental results Related work

16 Dependence annotation socket(domain = 2, type = 1, proto = 0, return = 7) accept(so = 7, addr = 0x40, addr_len = 0x50, return = 8) write(so = 8, buf = 0x100, len = 23, return = 23) close(so = 8, return = 0) close(so = 7, return = 0) dependence annotator Traces Annotated traces

17 Dependence annotation Definers: socket.return accept.return close.so Users: accept.so read.so write.so close.so dependence annotator Traces Annotated traces socket(domain = 2, type = 1, proto = 0, return = 7) accept(so = 7, addr = 0x40, addr_len = 0x50, return = 8) write(so = 8, buf = 0x100, len = 23, return = 23) close(so = 8, return = 0) close(so = 7, return = 0)

18 Dependence annotation dependence annotator Traces Annotated traces Definers: socket.return accept.return close.so Users: accept.so read.so write.so close.so socket(domain = 2, type = 1, proto = 0, return = 7) accept(so = 7, addr = 0x40, addr_len = 0x50, return = 8) write(so = 8, buf = 0x100, len = 23, return = 23) close(so = 8, return = 0) close(so = 7, return = 0)

19 Outline of the talk The specification mining problem Our specification mining system Annotating traces with dependences Extracting and standardizing scenarios Probabilistic learning and postprocessing Experimental results Related work

20 Extracting scenarios scenario extractor Annotated traces Seeds Abstract scenarios socket(domain = 2, type = 1, proto = 0, return = 7) accept(so = 7, addr = 0x40, addr_len = 0x50, return = 8) write(so = 8, buf = 0x100, len = 23, return = 23) close(so = 8, return = 0) close(so = 7, return = 0)

21 Extracting scenarios scenario extractor Annotated traces Seeds Abstract scenarios socket(domain = 2, type = 1, proto = 0, return = 7) accept(so = 7, addr = 0x40, addr_len = 0x50, return = 8) write(so = 8, buf = 0x100, len = 23, return = 23) close(so = 8, return = 0) close(so = 7, return = 0)

22 Extracting scenarios scenario extractor Annotated traces Seeds Abstract scenarios socket(domain = 2, type = 1, proto = 0, return = 7) accept(so = 7, addr = 0x40, addr_len = 0x50, return = 8) write(so = 8, buf = 0x100, len = 23, return = 23) close(so = 8, return = 0) close(so = 7, return = 0)

23 Simplifying scenarios scenario extractor Annotated traces Seeds Abstract scenarios socket(domain = 2, type = 1, proto = 0, return = 7) [seed] accept(so = 7, addr = 0x40, addr_len = 0x50, return = 8) write(so = 8, buf = 0x100, len = 23, return = 23) close(so = 8, return = 0) close(so = 7, return = 0)

24 Simplifying scenarios socket(return = 7) [seed] accept(so = 7, return = 8) write(so = 8) close(so = 8) close(so = 7) Drops attributes not used in dependences. scenario extractor Annotated traces Seeds Abstract scenarios

25 Standardizing scenarios Simplified scenarios Equivalent scenarios Abstract scenarios Standardization Two transformations: Naming: foo(val = 7)  foo(val = X) Reordering: foo(); bar();  bar(); foo(); Finds the least standardized scenario, in lexicographic order scenario extractor Annotated traces Seeds Abstract scenarios

26 Standardizing scenarios scenario extractor Annotated traces Seeds Abstract scenarios socket(return = 7) [seed] accept(so = 7, return = 8) write(so = 8) read(so = 8) close(so = 8) close(so = 7) Use-def and def-def dependences

27 Standardizing scenarios Reorder scenario extractor Annotated traces Seeds Abstract scenarios socket(return = 7) [seed] accept(so = 7, return = 8) read(so = 8) write(so = 8) close(so = 8) close(so = 7) Use-def and def-def dependences

28 Standardizing scenarios Reorder Name scenario extractor Annotated traces Seeds Abstract scenarios socket(return = X) [seed] accept(so = X, return = Y) read(so = Y) write(so = Y) close(so = Y) close(so = X) Use-def and def-def dependences

29 Standardizing scenarios ABDEFGABDEFG Each interaction is a letter to the PFSA learner. scenario extractor Annotated traces Seeds Abstract scenarios socket(return = X) [seed] accept(so = X, return = Y) read(so = Y) write(so = Y) close(so = Y) close(so = X)

30 Outline of the talk The specification mining problem Our specification mining system Annotating traces with dependences Extracting and standardizing scenarios Probabilistic learning and postprocessing Experimental results Related work

31 PFSA learning Algorithm due to Raman et al.: 1.Build a weighted retrieval tree 2.Merge similar states automaton learner Abstract scenarios Specification

32 PFSA learning Algorithm due to Raman et al.: 1.Build a weighted retrieval tree 2.Merge similar states automaton learner Abstract scenarios Specification A B C E F D F G G 1

33 PFSA learning B C E D F A automaton learner Abstract scenarios Specification Algorithm due to Raman et al.: 1.Build a weighted retrieval tree 2.Merge similar states G 1 G 99

34 PFSA learning B C E D F A automaton learner Abstract scenarios Specification Algorithm due to Raman et al.: 1.Build a weighted retrieval tree 2.Merge similar states G 100

35 Postprocessing: coring B C E D F A automaton learner Abstract scenarios Specification 1.Remove infrequent transitions 2.Convert PFSA to NFA G 100

36 Postprocessing: coring B C E D F A automaton learner Abstract scenarios Specification 1.Remove infrequent transitions 2.Convert PFSA to NFA G

37 Outline of the talk The specification mining problem Our specification mining system Annotating traces with dependences Extracting and standardizing scenarios Probabilistic learning and postprocessing Experimental results Related work

38 Where to find bugs? in programs (static verification)? or in traces (dynamic verification)?

39 How we verify specifications extract scenarios standardize Check automaton membership... socket(domain = 2, type = 1, proto = 0, return = 7))... ACEGBACEGB ACEGBACEGB ACEGBACEGB socket(domain = 2, type = 1, proto = 0, return = 7))... socket(domain = 2, type = 1, proto = 0, return = 7))... socket(...) accept(...) read(...) write(...) close(...) socket(...) accept(...) read(...) write(...) close(...) socket(...) accept(...) read(...) write(...) close(...) Traces Scenarios (dep. graphs) Strings

40 Verifying traces... socket(return = 7) accept(so = 7, return = 8) write(so = 8) read(so = 8) close(so = 8) close(so = 7)... socket(return = 7) accept(so = 7, return = 8) write(so = 8) read(so = 8) close(so = 8)... OK (both sockets closed)Bug! (socket 7 not closed) socket(return = X) [seed] accept(so = X, return = Y) close(fd = Y)close(fd = X) read(so = Y) write(so = Y)

41 Attempted to mine and verify two published X11 rules Experimental results Challenge: small, buggy training sets (16 programs)

42 Learning by trial and error Start with a rule learned from one, trusted trace. Then: Randomly select an unused trace Trace obeys rule? Add trace to training set; learn a new rule Expert: is trace buggy? yes no no (rule too specific) Report bug yes

43 1. A timestamp-passing rule 4 traces did not need inspection learned the rule! (compact: 7 states) bugs in 2 out of 16 programs (ups, e93) English specification was incomplete (3 traces) expert and corer agreed on 81% of the hot core 2. SetOwner(x) must be followed by GetSelection(x) failed to learn the rule (very small learning set) but bugs in 2 out of 5 programs (xemacs, ups) Results

44 Outline of the talk The specification mining problem Our specification mining system Annotating traces with dependences Extracting and standardizing scenarios Probabilistic learning and postprocessing Experimental results Related work

45 Related work Arithmetic pre/post conditions Daikon [Ernst et al], Houdini [Flanagan and Leino] properties orthogonal from us eventually, we may need to include and learn some arithmetic relationships Temporal relationships over calls intrusion detection: [Ghosh et al], [Wagner and Dean] software processes: [Cook and Wolf] error checking: [Engler et al SOSP 2001] lexical and syntactic pattern matching user must write templates (e.g., always follows ) design patterns: [Reiss and Renieris]

46 Conclusion Introduced specification mining, a new approach for learning correctness specifications Refined the problem into a problem of probabilistic learning from traces Developed and demonstrated a practical specifications miner

47 End of talk

48 How we mine specifications tracerrun dependence annotator Program Instrumented program Test inputs TracesAnnotated traces... socket(domain = 2, type = 1, proto = 0, return:T0 = 7) [SETUP socket:T0 7] accept(so:T0 = 7, addr = 0x40, addr_len = 0x50, return:T0 = 8) [USE socket:T0 8] close(so:T0 = 8, return = 0) close(so:T0 = 7, return = 0)...

49 How we mine specifications Program int s = socket(AF_INET, SOCK_STREAM, 0); [DO SETUP] while(cond1) { int ns = accept(s, &addr, &len); while(cond2) { [USE NS] if (cond3) return; } close(ns); } close(s);

50 How we mine specifications tracer Program Instrumented program int s = socket(AF_INET, SOCK_STREAM, 0); [DO SETUP] while(cond1) { int ns = accept(s, &addr, &len); while(cond2) { [USE NS] if (cond3) return; } close(ns); } close(s);

51 How we mine specifications tracerrun Program Instrumented program Test inputs Traces... socket(domain = 2, type = 1, proto = 0, return = 7) [SETUP socket 7] accept(so = 7, addr = 0x40, addr_len = 0x50, return = 8) [USE socket 8] close(so = 8, return = 0) close(so = 7, return = 0)...

52 How we mine specifications tracerrun dependence annotator Program Instrumented program Test inputs TracesAnnotated traces... socket(domain = 2, type = 1, proto = 0, return = 7) [SETUP socket 7] accept(so = 7, addr = 0x40, addr_len = 0x50, return = 8) [USE socket 8] close(so = 8, return = 0) close(so = 7, return = 0)...

53 How we mine specifications tracerrun scenario extractor dependence annotator Program Instrumented program Test inputs TracesAnnotated traces Scenario seeds Abstract scenarios socket(return = X) [seed] [SETUP socket X] accept(so = X, return = Y) [USE socket Y] close(so = Y) close(so = X)

54 How we mine specifications tracerrun scenario extractor automaton learner dependence annotator Program Instrumented program Test inputs TracesAnnotated traces Scenario seeds Abstract scenarios Specification socket(return = X) [seed] [SETUP X] accept(so = X, return = Y) close(fd = Y)close(fd = X) [USE Y]

55 Reducing the problem C (all correct traces) T (training traces) The problem: find an automaton that generates C, given T. I (all traces) Issues: What if C is not r.e.? Checkers and learners need finite specs.

56 Reducing the problem C (all correct traces) T (training traces) The problem: find an automaton that generates C, given T. I (all traces) Issues: What if C is not r.e.? Checkers and learners need finite specs.

57 Reducing the problem The problem: find an automaton that generates C, given T. Assume that C is regular. Issue: What if the program is not regular? C (all correct traces, regular) T (training traces) I (all traces) I C T Unrestricted

58 Reducing the problem The problem: find an automaton that generates C S, given T S. Assume that the size of scenarios is bounded. Issue: No connection between C S and T S ! C S (all correct scenarios, regular) T S (training scenarios) I S (all scenarios, bounded size) I C T Unrestricted Regular I C T

59 Reducing the problem The problem: find an automaton that generates C S, given T S. Assume that T S presents each element of C S at least once. Issue: Undecidable (Gold67) C S (all correct scenarios, regular) T S = c 0, c 1,... I S (all scenarios, bounded size) I C T Unrestricted Regular I C T ISIS CSCS TSTS Scenarios

60 Reducing the problem The problem: find a PFSA that generates P’, where P and P’ are close (by some distance metric). Assume P is generated by a PFSA. I C T Unrestricted Regular I C T Scenarios ISIS CSCS Complete presentation I S (all scenarios) T S = c 0, c 1,... ISIS CSCS TSTS 0 1 P a probability distribution over I S, generated by a PFSA

61 Digression: postprocessing PFSA = NFA with weights Specification = NFA Convert PFSA to specification: 1. Find hot core (that is, drop noise) drop infrequent scenarios drop infrequent parts of scenarios 2. Drop weights

62 Preparing input traces socket(domain = 2, type = 1, proto = 0, return:T0 = 7) [SETUP socket:T1 7] accept(so:T2 = 7, addr = 0x40, addr_len = 0x50, return:T3 = 8) [USE socket:T4 8] close(so:T5 = 8, return = 0) close(so:T5 = 7, return = 0)

63 Preparing input traces socket(domain = 2, type = 1, proto = 0, return:T0 = 7) [SETUP socket:T0 7] accept(so:T2 = 7, addr = 0x40, addr_len = 0x50, return:T3 = 8) [USE socket:T4 8] close(so:T5 = 8, return = 0) close(so:T5 = 7, return = 0)

64 Preparing input traces socket(domain = 2, type = 1, proto = 0, return:T0 = 7) [SETUP socket:T0 7] accept(so:T0 = 7, addr = 0x40, addr_len = 0x50, return:T3 = 8) [USE socket:T4 8] close(so:T5 = 8, return = 0) close(so:T5 = 7, return = 0)

65 Preparing input traces socket(domain = 2, type = 1, proto = 0, return:T0 = 7) [SETUP socket:T0 7] accept(so:T0 = 7, addr = 0x40, addr_len = 0x50, return:T3 = 8) [USE socket:T4 8] close(so:T0 = 8, return = 0) close(so:T0 = 7, return = 0)

66 Preparing input traces socket(domain = 2, type = 1, proto = 0, return:T0 = 7) [SETUP socket:T0 7] accept(so:T0 = 7, addr = 0x40, addr_len = 0x50, return:T3 = 8) [USE socket:T3 8] close(so:T0 = 8, return = 0) close(so:T0 = 7, return = 0)

67 Preparing input traces socket(domain = 2, type = 1, proto = 0, return:T0 = 7) [SETUP socket:T0 7] accept(so:T0 = 7, addr = 0x40, addr_len = 0x50, return:T0 = 8) [USE socket:T0 8] close(so:T0 = 8, return = 0) close(so:T0 = 7, return = 0)

68 Extracting scenarios socket(domain = 2, type = 1, proto = 0, return:T0 = 7) [SETUP socket:T0 7] accept(so:T0 = 7, addr = 0x40, addr_len = 0x50, return:T0 = 8) [USE socket:T0 8] close(so:T0 = 8, return = 0) close(so:T0 = 7, return = 0) scenario extractor Annotated traces Seeds Abstract scenarios

69 Extracting scenarios socket(domain = 2, type = 1, proto = 0, return:T0 = 7) [SETUP socket:T0 7] accept(so:T0 = 7, addr = 0x40, addr_len = 0x50, return:T0 = 8) [USE socket:T0 8] close(so:T0 = 8, return = 0) close(so:T0 = 7, return = 0) scenario extractor Annotated traces Seeds Abstract scenarios

70 Extracting scenarios socket(domain = 2, type = 1, proto = 0, return:T0 = 7) [SETUP socket:T0 7] accept(so:T0 = 7, addr = 0x40, addr_len = 0x50, return:T0 = 8) [USE socket:T0 8] close(so:T0 = 8, return = 0) close(so:T0 = 7, return = 0) scenario extractor Annotated traces Seeds Abstract scenarios

71 Simplifying scenarios socket(domain = 2, type = 1, proto = 0, return:T0 = 7) [seed] [SETUP socket:T0 7] accept(so:T0 = 7, addr = 0x40, addr_len = 0x50, return:T0 = 8) [USE socket:T0 8] close(so:T0 = 8, return = 0) close(so:T0 = 7, return = 0) scenario extractor Annotated traces Seeds Abstract scenarios

72 Simplifying scenarios socket(return:T0 = 7) [seed] [SETUP socket:T0 7] accept(so:T0 = 7, return:T0 = 8) [USE socket:T0 8] close(so:T0 = 8) close(so:T0 = 7) Drop untyped attributes. scenario extractor Annotated traces Seeds Abstract scenarios

73 Standardizing scenarios Standardization puts equivalent scenarios into a canonical abstract form: Simplified scenarios Equivalent scenarios Abstract scenarios Standardization A search using two transformations: Naming: foo(val = 7)  foo(val = X) Reordering: foo(); bar();  bar(); foo(); scenario extractor Annotated traces Seeds Abstract scenarios

74 Standardizing scenarios socket(return:T0 = 7) [seed] [SETUP socket:T0 7] accept(so:T0 = 7, return:T0 = 8) [USE Y] close(so:T0 = 8) close(so:T0 = 7) scenario extractor Annotated traces Seeds Abstract scenarios

75 Standardizing scenarios socket(return:T0 = 7) [seed] [SETUP socket:T0 7] accept(so:T0 = 7, return:T0 = 8) write(so:T0 = 8) read(so:T0 = 8) close(so:T0 = 8) close(so:T0 = 7) scenario extractor Annotated traces Seeds Abstract scenarios

76 Standardizing scenarios socket(return:T0 = 7) [seed] [SETUP socket:T0 7] accept(so:T0 = 7, return:T0 = 8) read(so:T0 = 8) write(so:T0 = 8) close(so:T0 = 8) close(so:T0 = 7) Reorder scenario extractor Annotated traces Seeds Abstract scenarios

77 Standardizing scenarios socket(return:T0 = X) [seed] [SETUP socket:T0 X] accept(so:T0 = X, return:T0 = Y) read(so:T0 = Y) write(so:T0 = Y) close(so:T0 = Y) close(so:T0 = X) Reorder Name scenario extractor Annotated traces Seeds Abstract scenarios

78 Standardizing scenarios socket(return:T0 = X) [seed] [SETUP socket:T0 X] accept(so:T0 = X, return:T0 = Y) read(so:T0 = Y) write(so:T0 = Y) close(so:T0 = Y) close(so:T0 = X) ABCDEFGABCDEFG Each interaction is a letter to the PFSA learner. scenario extractor Annotated traces Seeds Abstract scenarios

79 Coring Coring removes PFSA transitions that occur infrequently and converts the PFSA into an NFA. [SETUP X] accept(so = X, return = Y) close(fd = Y) [USE Y] close(fd = X) socket(return = X) [seed] automaton learner Abstract scenarios Specification

80 Verification Do all traces of a program P satisfy a specification A?

81 Verification Do all traces of a program P satisfy a specification A? Does a trace T Definition: T satisfies A if every seed in T is surrounded by a scenario that satisfies A.

82 Verification Do all traces of a program P satisfy a specification A? Does a trace T Does a scenario S Language of A Abstract scenarios satisfying A Simplified scenarios satisfying A Concrete scenarios satisfying A Simplification Standardization S?

83 Experiments What we wanted to find out Hypothesis 1: the process will find bugs and reduce the number of traces that the expert must inspect. Hypothesis 2: the miner’s final specification will match the English rule. Hypothesis 3: the corer and the human will agree on the hot core. Gathered traces from 16 programs: 5 programs in the X11 distribution and 11 contributed programs

84 Testing vs. verification testing: program input is the output correct? input property verification: checker property does property hold? program X11 sockets sample properties: allocated memory is freed. locks are released. …

85 Testing vs. verification Completeness (“coverage”): verification (if sound) guarantees that program contains no bugs of a well-specified class. testingverification aspectsallsome controlsomeall datasomeall our focus

86 Verification: recent successes Recent successes. specifications languages: temporal logics, automata, … abstractors: SLAM, FeaVer checkers: model checking, theorem proving, type systems What’s still missing? ? specifications property holds? program checker abstract program L1L1 abstractor formal specification of correctness L2L2 property

87 So who formulates specifications? Programmers? Probably not. Why they won’t: too busy: yet another language to learn? specifications aren’t cool. specification languages are hard: LTL, anyone? Why they shouldn’t: may misunderstand usage rules. may not know all usage rules. Mining Specifications:  Convenient and easy: anyone can do it  Like in data mining, discover surprise rules.

88 Advantages of mining  Exploits the massive programmers’ effort reflected in the code. Programmers resolved many problems: incomplete system requirements. incomplete API documentation. implementation-dependent API rules. Want redundancy? (without redundant programming) ask multiple programmers (and vote).  Exploits the testers’ effort in devising test inputs

89 Our output: a specification x = socket() bind(x) listen(x) y = accept(x) write(y) close(y) close(x) read(y)

90 How do we mine? Underlying premise: Even bad software is debugged enough to show hints of correct behavior.  Maxim: Common usage is the correct usage.

91 Mining = machine learning Reduce the problem into the well-known problem of learning regular languages. Obstacles: 1. source code is too detailed and hard to analyze 2. what is “common” behavior? Solutions: 1. learn from dynamic behavior 2. learn probabilistically  learn from traces into probabilistic FSMs

92 Input: trace(s) 7 = socket(2, 1, 0); bind(7, 0x400120, 16); listen(7, 5); 8 = accept(7, 0x400200, 0x400240); read(8, 0x400320, 255); write(8, 0x400320, 12); read(8, 0x400320, 255); write(8, 0x400320, 7); close(8); 10 = accept(7, 0x400200, 0x400240); read(10, 0x400320, 255); write(10, 0x400320, 13); close(10); close(7); … x = socket() bind(x) listen(x) y = accept(x) write(y) close(y) close(x) read(y) 7 = socket(2, 1, 0); bind(7, 0x400120, 16); listen(7, 5); 8 = accept(7, 0x400200, 0x400240); read(8, 0x400320, 255); write(8, 0x400320, 12); read(8, 0x400320, 255); write(8, 0x400320, 7); close(8); 10 = accept(7, 0x400200, 0x400240); read(10, 0x400320, 255); write(10, 0x400320, 13); close(10); close(7); … 7 = socket(2, 1, 0); bind(7, 0x400120, 16); listen(7, 5); 8 = accept(7, 0x400200, 0x400240); read(8, 0x400320, 255); write(8, 0x400320, 12); read(8, 0x400320, 255); write(8, 0x400320, 7); close(8); 10 = accept(7, 0x400200, 0x400240); read(10, 0x400320, 255); write(10, 0x400320, 13); close(10); close(7); …

93 The mining algorithm dynamic execution (traces) trace abstraction usage scenarios (strings) (off-the-shelf) RegExp learner generalized scenarios (probabilistic FSA) user: extract heavy core (and approve) specification (NFA) dynamic checker dynamic exe. to be checked (trace) OK/bug

94 Trace abstraction: 4 challenges Traces interleave useful and useless events. sockets created by accept are independent, … Specifications must include both temporal and value-flow constraints. Only some of API calls’ arguments impose “true” dependences. accept does not alter the state of the bound socket, … Specifications may impose only partial order. filling in fields of a structure before a call, …

95 Finding dependendences 7 = socket(2, 1, 0); bind(7, 0x400120, 16); listen(7, 5); 8 = accept(7, 0x400200, 0x400240); read(8, 0x400320, 255); write(8, 0x400320, 12); read(8, 0x400320, 255); write(8, 0x400320, 7); close(8); 10 = accept(7, 0x400200, 0x400240); read(10, 0x400320, 255); write(10, 0x400320, 13); close(10); close(7); … Some args and return values are handles to data structures. Calls may write through the handle read through the handle read and write Def-use dependences connect writers to readers

h(_, ) a(, ) d(, ) b(_, ) e( ) Trace abstraction h(3, 5) c(10) a(4, 5) d(4, 7) b(0, 5) f(10) h(8, 11) e(7) f(50) d(15, 1) c(7) a(9, 11) b(6, 7) d(9, 14) f(20) e(7) … h(_, X) a(Y, X) b(_, X) d(Y, Z) e(Z) h(_, X) a(Y, X) b(_, X) d(Y, Z) e(Z) h(_, 5) c(10) a(4, 5) d(4, 7) b(_, 5) f(10) h(_, 11) e(7) f(_) d(_, _) c(7) a(9, 11) b(_, 11) d(9, _) e(_) f(_) … h(_, X) a(Y, X) d(Y, Z) b(_, X) e(Z) h(_, X) a(Y, X) b(_, X) d(Y, Z)

97 The output PFSA h(_, X) a(Y, X) b(_, X) d(Y, Z) e(Z) d(Y, Z) 1

98 Renaming and reordering the chop outline of the algorithm input: a chop (a dag of data dependences) output: the canonical chop 1. reorder: list all possible chop schedules trick: only list those with calls in lexicographic order 2. rename: abstract arguments in each schedule 3. select lexicographically least schedule lexicographic order: a(…) b(…) < b(…) b(…) a(X) b(…) < a(Y) b(…)

99 Checking: the meaning of the spec means: whenever seed(x) is executed, it must be preceded by a(x), b(x) and followed by c(x). does not mean: a(x) must be followed by b(x), seed(x), c(x) (because a is not a seed). seed(x)c(x)b(x)a(x)

100 Dynamic checking Used in our experiments checker mirrors the learner: specification (NFA) dynamic checker for each seed in the trace extract a chop if some substring from chop in NFA seed verified! else extract a larger chop (up to a bound) fail if no chop verifies dynamic execution to be checked (trace) OK/bug

101 Static checking Conversion to a “checkable” specification: seed(x)c(x)b(x)a(x) seed(x) c(x)b(x)a(x) ^b(x) ^seed(x) OK bug! ^c(x) | end seed(x)

102 Related work Arithmetic pre/post conditions Daikon, Houdini properties orthogonal from us eventually, we may need to include and learn some arithmetic relationships Temporal relationships over calls intrusion detection: [Ghosh et al], [Wagner and Dean] software processes: [Cook and Wolf] error checking: [Engler et al SOSP 2001] lexical and syntactic pattern matching user must write templates (e.g., always follows )

103 Ongoing work Mechanize tool. Find more gold.

104 Ongoing work Gathering traces Right now: hand-built tracers for stdio and X11 Ongoing: a tool to generate tracers from header files Def-use annotations Right now: by hand Ongoing: tools to help Future?: static analysis Selecting the core Right now: by hand and heuristics Ongoing: algorithms (lots of ideas, none tried) Find more bugs 80MB of gzipped stdio traces

105 Future work Mining Give gold to jewelers. SPIN Vault Verisoft SLAM ESP … ? code specificationsbugs inputs

106 Summary Semi-automatically formulating well-formed, non- trivial specifications is an important part of the verification tool chain. Contributions: introduced specifications mining phrased it as probabilistic learning from dynamic traces decomposed it into a sequence of subproblems (using an off-the-shelf learner) developed dynamic checker found bugs

107 The supply/demand pyramids LTL C C ++ Java Visual Basic javascript, html, XML skill (supply) effort (demand) s/w development requirements analysis verification and testing

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.