Inference and enforcement of data structure consistency specifications

Corrupt data structures are an important cause of unacceptable program execution. Data structure repair (which eliminates inconsistencies by updating corrupt data structures to conform to consistency constraints) promises to enable many programs to continue to execute acceptably in the face of otherwise fatal data structure corruption errors. A key issue is obtaining an accurate and comprehensive data structure consistency specification. We present a new technique for obtaining data structure consistency specifications for data structure repair. Instead of requiring the developer to manually generate such specifications, our approach automatically generates candidate data structure consistency properties using the Daikon invariant detection tool. The developer then reviews these properties, potentially rejecting or generalizing overly specific properties to obtain a specification suitable for automatic enforcement via data structure repair. We have implemented this approach and applied it to three sizable benchmark programs: CTAS (an air-traffic control system), BIND (a widely-used Internet name server) and Freeciv (an interactive game). Our results indicate that (1) automatic constraint generation produces constraints that enable programs to execute successfully through data structure consistency errors, (2) compared to manual specification, automatic generation can produce more comprehensive sets of constraints that cover a larger range of data structure consistency properties, and (3) reviewing the properties is relatively straightforward and requires substantially less programmer effort than manual generation, primarily because it reduces the need to examine the program text to understand its operation and extract the relevant consistency constraints. Moreover, when evaluated by a hostile third party "Red Team" contracted to evaluate the effectiveness of the technique, our data structure inference and enforcement tools successfully prevented several otherwise fatal attacks.

[1]  Lois M. L. Delcambre,et al.  Constraint Analysis: A Design Process for Specifying Operations on Objects , 1990, IEEE Trans. Knowl. Data Eng..

[2]  Noah Treuhaft,et al.  Recovery Oriented Computing (ROC): Motivation, Definition, Techniques, and Case Studies , 2002 .

[3]  David M. Weiss,et al.  Auditdraw: generating audits the FAST way , 1997, Proceedings of ISRE '97: 3rd IEEE International Symposium on Requirements Engineering.

[4]  Letizia Tanca,et al.  Automatic generation of production rules for integrity maintenance , 1994, TODS.

[5]  Anoop Singhal,et al.  Using Rules in Object-Oriented Designs , 1996 .

[6]  Brian Demsky Data structure repair using goal-directed reasoning , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[7]  Mendel Rosenblum,et al.  The design and implementation of a log-structured file system , 1991, SOSP '91.

[8]  Martin C. Rinard,et al.  Automatic detection and repair of errors in data structures , 2003, OOPSLA '03.

[9]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[10]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[11]  Viktor Kuncak,et al.  Field Constraint Analysis , 2005, VMCAI.

[12]  Gustavo Eduardo Lopez The design and implementation of Kaleidoscope, a constraint imperative programming language , 1997 .

[13]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[14]  Daniel M. Roy,et al.  Enhancing Server Availability and Security Through Failure-Oblivious Computing , 2004, OSDI.

[15]  Sarfraz Khurshid,et al.  Korat: automated testing based on Java predicates , 2002, ISSTA '02.

[16]  Peter F. Patel-Schneider,et al.  Modeling dynamic collections of interdependent objects using path-based rules , 1997, OOPSLA '97.

[17]  William G. Griswold,et al.  Dynamically discovering likely program invariants to support program evolution , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[18]  George Candea,et al.  Recursive restartability: turning the reboot sledgehammer into a scalpel , 2001, Proceedings Eighth Workshop on Hot Topics in Operating Systems.

[19]  Stephen McCamant,et al.  Dynamic inference of abstract types , 2006, ISSTA '06.

[20]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[21]  Samiha Mourad,et al.  On the Reliability of the IBM MVS/XA Operating System , 1987, IEEE Transactions on Software Engineering.

[22]  Jennifer Widom,et al.  Deriving Production Rules for Constraint Maintainance , 1990, VLDB.

[23]  Roger Hoover,et al.  Alphonse: incremental computation as a programming abstraction , 1992, PLDI '92.

[24]  Yi-Min Wang,et al.  Checkpointing and its applications , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[25]  Viktor Kuncak,et al.  An Algorithm for Deciding BAPA: Boolean Algebra with Presburger Arithmetic , 2005, CADE.

[26]  William G. Griswold,et al.  Quickly detecting relevant program invariants , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[27]  Brian Demsky,et al.  Efficient specification-assisted error localization , 2004 .

[28]  Dawson R. Engler,et al.  A system and language for building system-specific, static analyses , 2002, PLDI '02.

[29]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[30]  J. Christopher Ramming,et al.  Two Application languages in software production , 1994 .

[31]  Andreas Reuter,et al.  Transaction Processing: Concepts and Techniques , 1992 .

[32]  R. D. Royer,et al.  The 5ESS switching system: Maintenance capabilities , 1985, AT&T Technical Journal.

[33]  Jong-Deok Choi,et al.  Efficient and precise datarace detection for multithreaded object-oriented programs , 2002, PLDI '02.

[34]  Peter F. Patel-Schneider,et al.  R + + : Using Rules in Object-Oriented Designs , 1996 .