Static Analysis

Static analysis is not the only way to verify universal (forall-paths) properties of programs: program verification can also be performed dynamically. As a recent milestone, we were able to prove, for the first time in 2013, attacker memory safety of an entire operating-system image parser, namely the ANI Windows image parser, using compositional exhaustive testing (implemented in the dynamic test generation tool SAGE and using the Z3 SMT solver), i.e., no static analysis whatsoever. However, several key verification steps were performed manually, and these verification results depend on assumptions regarding inputdependent loop bounds, fixing a few buffer-overflow bugs, and excluding some code parts that are not memory safe by design. This talk will discuss dynamic program verification, and its strengths and weaknesses. Higher-Order Model Checking: From Theory

[1]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[2]  Nicolas Halbwachs,et al.  An Abstract Domain Extending Difference-Bound Matrices with Disequality Constraints , 2007, VMCAI.

[3]  Philippe Granger Static analysis of arithmetical congruences , 1989 .

[4]  Ji Wang,et al.  An Abstract Domain to Discover Interval Linear Equalities , 2010, VMCAI.

[5]  Jorge A. Navas,et al.  Abstract Interpretation over Non-lattice Abstract Domains , 2013, SAS.

[6]  Bertrand Jeannet,et al.  Apron: A Library of Numerical Abstract Domains for Static Analysis , 2009, CAV.

[7]  Jacob M. Howe,et al.  Quadtrees as an Abstract Domain , 2010, Electron. Notes Theor. Comput. Sci..

[8]  Jan Vitek,et al.  An analysis of the dynamic behavior of JavaScript programs , 2010, PLDI '10.

[9]  Eric Goubault,et al.  Inferring Min and Max Invariants Using Max-Plus Polyhedra , 2008, SAS.

[10]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[11]  Sagar Chaki,et al.  Boxes: A Symbolic Abstract Domain of Boxes , 2010, SAS.

[12]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[13]  Eric Goubault,et al.  Coupling policy iteration with semi-definite relaxation to compute accurate numerical invariants in static analysis , 2010, Log. Methods Comput. Sci..

[14]  Gogul Balakrishnan,et al.  Donut Domains: Efficient Non-convex Domains for Abstract Interpretation , 2012, VMCAI.

[15]  Roberto Bagnara,et al.  Widening Operators for Weakly-Relational Numeric Abstractions , 2005, SAS.

[16]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[17]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[18]  Sumit Gulwani,et al.  A Numerical Abstract Domain Based on Expression Abstraction and Max Operator with Application in Timing Analysis , 2008, CAV.

[19]  Robert de Simone,et al.  Loops in esterel , 2005, TECS.

[20]  Ji Wang,et al.  Linear Absolute Value Relation Analysis , 2011, ESOP.

[21]  Wei-Ngan Chin,et al.  FixBag: A Fixpoint Calculator for Quantified Bag Constraints , 2011, CAV.

[22]  Manuel Fähndrich,et al.  Pentagons: a weakly relational abstract domain for the efficient validation of array accesses , 2008, SAC '08.

[23]  Barbara G. Ryder,et al.  Program decomposition for pointer aliasing: a step toward practical analyses , 1996, SIGSOFT '96.

[24]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI '03.

[25]  Ji Wang,et al.  Interval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships , 2009, SAS.

[26]  Barbara G. Ryder,et al.  Experiments with combined analysis for pointer aliasing , 1998, PASTE '98.

[27]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[28]  Mads Tofte,et al.  Type Inference for Polymorphic References , 1990, Inf. Comput..

[29]  David L. Dill,et al.  Timing Assumptions and Verification of Finite-State Concurrent Systems , 1989, Automatic Verification Methods for Finite State Systems.

[30]  Henny B. Sipma,et al.  Scalable Analysis of Linear Systems Using Mathematical Programming , 2005, VMCAI.

[31]  Francesco Logozzo,et al.  SubPolyhedra: A (More) Scalable Approach to Infer Linear Inequalities , 2009, VMCAI.

[32]  Hongtao Yu,et al.  Level by level: making flow- and context-sensitive pointer analysis scalable for millions of lines of code , 2010, CGO '10.