Flow-insensitive type qualifiers

We describe flow-insensitive type qualifiers, a lightweight, practical mechanism for specifying and checking properties not captured by traditional type systems. We present a framework for adding new, user-specified type qualifiers to programming languages with static type systems, such as C and Java. In our system, programmers add a few type qualifier annotations to their program, and automatic type qualifier inference determines the remaining qualifiers and checks the annotations for consistency. We describe a tool CQual for adding type qualifiers to the C programming language. Our tool CQual includes a visualization component for displaying browsable inference results to the programmer. Finally, we present several experiments using our tool, including inferring const qualifiers, finding security vulnerabilities in several popular C programs, and checking initialization data usage in the Linux kernel. Our results suggest that inference and visualization make type qualifiers lightweight, that type qualifier inference scales to large programs, and that type qualifiers are applicable to a wide variety of problems.

[1]  John C. Mitchell,et al.  Type inference with simple subtypes , 1991, Journal of Functional Programming.

[2]  David E. Evans,et al.  Static detection of dynamic memory errors , 1996, PLDI '96.

[3]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[4]  Robert DeLine,et al.  Adoption and focus: practical linear types for imperative programming , 2002, PLDI '02.

[5]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[6]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[7]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[8]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[9]  Vitaly Osipov,et al.  Format String Attacks , 2005 .

[10]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[11]  Fritz Henglein,et al.  Type inference with polymorphic recursion , 1993, TOPL.

[12]  Olin Shivers,et al.  Control flow analysis in scheme , 1988, PLDI '88.

[13]  Frank Pfenning,et al.  Refinement types for ML , 1991, PLDI '91.

[14]  Scott F. Smith,et al.  Static enforcement of security with types , 2000, ICFP '00.

[15]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[16]  James Cheney,et al.  Cyclone User''s Manual, Version 0.1.3 , 2001 .

[17]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[18]  Junfeng Yang,et al.  MECA: an extensible, expressive system and language for statically checking security properties , 2003, CCS '03.

[19]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[20]  Katherine A. Yelick,et al.  Titanium: A High-performance Java Dialect , 1998, Concurr. Pract. Exp..

[21]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[22]  Gregory Tassey,et al.  Prepared for what , 2007 .

[23]  Larry Wall,et al.  Programming Perl , 1991 .

[24]  Torben Æ. Mogensen,et al.  Tractable Constraints in Finite Semilattices , 1996, Sci. Comput. Program..

[25]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[26]  Alexander Aiken,et al.  Type systems for distributed data structures , 2000, POPL '00.

[27]  David Walker,et al.  An effective theory of type refinements , 2003, ICFP '03.

[28]  Shane Markstrum,et al.  Semantic type qualifiers , 2005, PLDI '05.

[29]  Manuel Fähndrich,et al.  Bane: a library for scalable constraint-based program analysis , 1999 .

[30]  F. Warren Burton,et al.  Encapsulating non-determinacy in an abstract data type with determinate semantics , 1991, Journal of Functional Programming.

[31]  David K. Gifford,et al.  Polymorphic effect systems , 1988, POPL '88.

[32]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[33]  Christian Mossin,et al.  Flow analysis of typed higher-order programs , 1996, Technical report / University of Copenhagen / Datalogisk institut.

[34]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[35]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[36]  Scott F. Smith,et al.  Type inference for recursively constrained types and its application to OOP , 1995, MFPS.

[37]  Jakob Rehof,et al.  Estimating the Impact of Scalable Pointer Analysis on Optimization , 2001, SAS.

[38]  Satish Chandra,et al.  Physical type checking for C , 1999, PASTE '99.

[39]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[40]  Jerzy Tiuryn,et al.  Satisfiability of Inequalities in a Poset , 1996, Fundam. Informaticae.

[41]  Matthias Felleisen,et al.  Catching bugs in the web of program invariants , 1996, PLDI '96.

[42]  David A. Wagner,et al.  Finding User/Kernel Pointer Bugs with Type Inference , 2004, USENIX Security Symposium.

[43]  Mayur Naik,et al.  From symptom to cause: localizing errors in counterexample traces , 2003, POPL '03.

[44]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[45]  Jakob Rehof,et al.  Scalable context-sensitive flow analysis using instantiation constraints , 2000, PLDI '00.

[46]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[47]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[48]  Michael I. Schwartzbach,et al.  The pointer assertion logic engine , 2000, PLDI '01.

[49]  K. Rustan M. Leino,et al.  Houdini, an Annotation Assistant for ESC/Java , 2001, FME.

[50]  Kirsten Lackner Solberg,et al.  Annotated Type Systems for Program Analysis , 1995 .

[51]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[52]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[53]  Thomas W. Reps,et al.  Pointer analysis for programs with structures and casting , 1999, PLDI '99.

[54]  Polyvios Pratikakis,et al.  Transparent proxies for java futures , 2004, OOPSLA.

[55]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[56]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[57]  Brian A. Davey,et al.  An Introduction to Lattices and Order , 1989 .

[58]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[59]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[60]  Andrew K. Wright Simple imperative polymorphism , 1995, LISP Symb. Comput..

[61]  K. Rustan M. Leino,et al.  Extended static checking , 1998, PROCOMET.

[62]  Alexander Aiken,et al.  Checking and inferring local non-aliasing , 2003, PLDI '03.

[63]  Jakob Rehof,et al.  Type-base flow analysis: from polymorphic subtyping to CFL-reachability , 2001, POPL '01.

[64]  Katherine Yelick,et al.  Titanium: a high-performance Java dialect , 1998 .

[65]  Peter M. Broadwell,et al.  Scrash: A System for Generating Secure Crash Information , 2003, USENIX Security Symposium.

[66]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[67]  Dawson R. Engler,et al.  A system and language for building system-specific, static analyses , 2002, PLDI '02.

[68]  Robin Milner,et al.  A Theory of Type Polymorphism in Programming , 1978, J. Comput. Syst. Sci..

[69]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[70]  Nils Klarlund,et al.  Graph types , 1993, POPL '93.

[71]  Jakob Rehof,et al.  Tractable Constraints in Finite Semilattices , 1999, Sci. Comput. Program..

[72]  Jeffrey S. Foster,et al.  Visualizing type qualifier inference with Eclipse , 2004, eclipse '04.

[73]  Martin Odersky,et al.  Type Inference with Constrained Types , 1999, Theory Pract. Object Syst..

[74]  Alexander Aiken,et al.  Partial online cycle elimination in inclusion constraint graphs , 1998, PLDI.

[75]  Fritz Henglein,et al.  Polymorphic Recursion and Subtype Qualifications: Polymorphic Binding-Time Analysis in Polynomial Time , 1995, SAS.

[76]  Olivier Tardieu,et al.  Ultra-fast aliasing analysis using CLA: a million lines of C code in a second , 2001, PLDI '01.

[77]  Jeffrey S. Foster,et al.  Type qualifiers: lightweight specifications to improve software quality , 2002 .

[78]  David Gay,et al.  Language support for regions , 2001, PLDI '01.

[79]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[80]  Paul Barry,et al.  Programming Perl 3rd Edition , 2000 .

[81]  Thomas W. Reps,et al.  Demand interprocedural dataflow analysis , 1995, SIGSOFT FSE.

[82]  K. Rustan M. Leino,et al.  An Extended Static Checker for Modular-3 , 1998, CC.

[83]  Fritz Henglein,et al.  Efficient Type Inference for Higher-Order Binding-Time Analysis , 1991, FPCA.

[84]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[85]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..