Program Analysis using Weighted Pushdown Systems Thomas Reps
- Slides: 88
Program Analysis using Weighted Pushdown Systems Thomas Reps, 1, 2 Akash Lal, 1 and Nick Kidd 1 1 Univ. of Wisconsin 2 Gramma. Tech, Inc.
Static Program Analysis • Tool for building correct, reliable, efficient, and secure software • What states can my program reach? – Testing: run on specific (or random) inputs – Static analysis: run “in the aggregate” on descriptors of multiple states Can e ever be out of bounds? . . . a[e]. . . 2
Static Program Analysis • Tool for building correct, reliable, efficient, and secure software • What states can my program reach? – Testing: run on specific (or random) inputs – Static analysis: run “in the aggregate” on descriptors of multiple states Does the program conform to policy P? 3
Sidestepping Undecidability ׃ d SS f f f# f#(d) f(SS) ׃ Control Flow Graph (CFG) Sets of States Descriptors of State Sets 4
Intraprocedural Analysis V 0 # f 1 # f 2 # fk-1 # fk n enter # # pfp = fk fk-1 … f 2 f 1 JOP(n) = pfp(V 0) p Paths. To[n] 5
Sidestepping Undecidability Overapproximate the reachable states Reachable States Bad States False positive! Universe of States 6
Rest of the Talk: A Story From CFL-Reachability to Weighted Pushdown Systems T. Reps, S. Jha, S. Schwoon, N. Kidd, A. Lal, D. Melski, T. Touili, H. Wang, G. Balakrishnan, D. Gopan, J. Lim, S. Chaki, E. Clarke, S. Stubblebine • Prologue – Program analysis via CFL-reachability 7
• Aha! Our Story’s Theme: When the World Smiles on You – My problem P can be cast in formalism F, and I can use a known algorithm AF • Bonus – Can sometimes do more, now that you know that P is an F problem • Bummer – I want to do “something” that F doesn’t support • Ah! – Extend F to do “something” – Write new paper, which is interesting because of the connection to P – Discover that the extension has applications and/or applications in the original context (i. e. , F problems)8
matched ( e [ e ] ] e ) [ ( e [ matched ] ( matched ) matched ] e s | | e e [ e ] ] e CFL-Reachability Ordinary Graph Reachability ) 9 t
CFL-Reachability via Dynamic Programming Graph B Grammar C A B C A O(V 3) [Yannakakis 90] o(V 3) [Chaudhuri 08] 10
start p(a, b) start main x=3 if. . . ( b=a p(x, y) p(a, b) return from p ) printf(y) exit main ] return from p printf(b) exit p 11
Interprocedural Analysis JOVP(n) = V 0 start # f 1 p Matched. Paths. To[n] callq # f 2 # f 3 ( enterq ret ) pfp(V 0) # fk-1 # fk-2 # fk n exitq # f 4 # fk-3 # f 5 12
Representing Distributive Functions [RHS 95] Identity Function a b c f = λV. V f({a, b}) = {a, b} Constant Function f = λV. {b} f({a, b}) = {b} 13
Representing Distributive Functions [RHS 95] “Gen/Kill” Function a b c f = λV. (V {b}) {c} f({a, b}) = {a, c} Non-“Gen/Kill” Function f = λV. if a V then V {b} else V {b} f({a, b}) = {a, b} 14
x y start main x=3 start p(a, b) if. a b . . b=a p(x, y) p(a, b) return from p printf(y) exit main printf(b) exit p 15
x y start main ( start p(a, b) if. x=3 p(x, y) a b . . Might b y be uninitialized here? b=a p(a, b) return from p printf(y) printf(b) YES! exit main ) NO! exit p 16
CFL-Reachability Advantages • Intuitive – good conceptual model for understanding many dataflow-analysis results • Linear-time algorithms for some variants 17
Rest of the Talk: A Story From CFL-Reachability to Weighted Pushdown Systems T. Reps, S. Jha, S. Schwoon, N. Kidd, A. Lal, D. Melski, T. Touili, H. Wang, G. Balakrishnan, D. Gopan, J. Lim, S. Chaki, E. Clarke, S. Stubblebine 20
Our Story • Prologue – Program analysis via CFL-reachability • Chapter 1 – Cubic-time algorithm for certificate-chain discovery in SPKI/SDSI: D. Clarke, J. -E. Elien, C. M. Ellison, M. Fredette, A. Morcos, and R. L. Rivest, Certificate chain discovery in SPKI/SDSI, JCS, 2001 21
Authorization to Use Shared Resources • Traditionally, use access control lists (ACLs) – Associate permissions with objects – E. g. , AFS permissions for directory D reps rlidwka touili rlidwk reps: students rl 22
Trust Management • Express security policy in a formal language – Digitally signed statements – Bob: Joe is my student [C 1] – Alice: All of Bob’s students can access host H [C 2] • Find a proof of authorization – “certificate-chain discovery” • Joe provides “proof of authorization” to Alice – C 1 + C 2 • Proof is checked and Joe is granted access – “compliance checking” • Examples: Keynote [Blaze et al. ], Referee [Chu et al. ], RT* [Li and Mitchell], SD 3 [Jim], Binder[De. Treville], 23 …
SPKI/SDSI • SPKI – Ellison, Frantz, Thomas, & Ylonen • SDSI – Lampson and Rivest • SPKI/SDSI – Ellison, Frantz, Lampson, Rivest, Thomas, & Ylonen – Local name spaces reps student spouse – Delegation 24
SPKI/SDSI Principals (Public Keys) KBob , KAlice Individuals KCS CS Department KOwner[R] Owner of resource R Local Names KCS faculty KBob my. Students Extended Names KBob my. Students Spouse 25
Name Certs Bob is a CS faculty member KCS faculty KBob Alice a student of Bob’s Eachis name cert also has a Kvalidity KAlice specification Bob my. Students (usually a time interval) Alice’s friends. . . KAlice my. Friends KJoe KAlice my. Friends KMary enemies spouse 26
Auth Certs A CS faculty member can use host H KOwner[H] KCS faculty Can delegate Bob allows access to his students KBob my. Students Cannot delegate Alice allows access to her friends KAlice my. Friends 27
KOwner[H] Certificate Chain KOwner[H] KCS faculty KBob KCS faculty KBob my. Students KBob my. Students KAlice 29
KOwner[H] Certificate Chain KOwner[H] KCS faculty KBob my. Students KAlice 30
KOwner[H] Certificate Chain KOwner[H] KCS faculty KBob KAlice my. Friends KBob my. Students Does not apply! KBob my. Students KAlice 31
Basic Authorization-Access Query • Given a resource R and principal K, is K authorized to access R? Solved by finding a certificate chain that proves that access is permitted (certificate -chain discovery) Cubic-time algorithm: Clarke, Elien, Ellison, Fredette, Morcos, & Rivest [JCS 01] 32
Our Story • Prologue – Program analysis via CFL-reachability • Chapter 1 – Cubic-time algorithm for certificate-chain discovery in SPKI/SDSI [CEEFMR 01] • Chapter 2 (Aha!) – September 2001: Jha and Reps discuss Clarke et al. paper and see the connection between certificate-chain discovery and modelchecking pushdown systems (PDSs) – New application for PDS formalism; previously • PDSs describe the call-return structure of programs • PDS model checking: establish properties of recursive programs 33
Unrolled Program = Transition System p: a b j g c q: f h d e i 34
Unrolled Program = ∞-State Transition System p: a f b c d b, ׃ ׃ e c e ׃ ׃ ׃ 35 ׃
Pushdown System (PDS) States: { σ 1, σ 2 , σ 3 , σ 4 } Stack symbols: Pushdown automaton { A, B, C, D } without an input tape Transition rules: <σ1, A> <σ2, e> <σ1, A> <σ2, B C> 36
Pushdown System (PDS) States: { σ1, σ2, σ3, σIf 4 }the state is σ1 and the top of the stack is. A, then Stack symbols: Pushdown automaton pop A { A, B, C, D } without an input transition to state σ2 tape Transition rules: <σ1, A> <σ2, e> <σ1, A> <σ2, B C> 37
Pushdown System (PDS) States: { σ1, σ2, σ3, σIf 4 }the state is σ1 and the top of the stack is. A, then Stack symbols: Pushdown automaton pop A { A, B, C, D } without an input tape transition to state σ 2 Transition rules: push B <σ1, A> <σ2, e> <σ1, A> <σ2, B C> 38
Pushdown System (PDS) States: { σ 1, σ 2 , σ 3 , σ 4 } Stack symbols: If the state is σ1 and the Pushdown automaton { A, B, C, D } top of the stack is. A, then without an input tape pop A Transition rules: transition to stateσ2 <σ1, A> <σ2, e> push C; then push B <σ1, A> <σ2, B> <σ1, A> <σ2, B C> 39
Rules Define a Transition Relation <σ, A> <σ’, ε> <σ, A> <σ’, B C> σ A σ’ σ’ B C 40
Pushdown System (PDS) • Pushdown automaton without an input tape • Mechanism for defining a class of infinite-state transition systems <σ, A> <σ, A A> <σ, AA> <σ, AAAA> ׃ 41
Interprocedural CFG as a PDS p: a b g c <σ, a> <σ, b> j q: f h d e i 42
Interprocedural CFG as a PDS p: a b g c <σ, b> <σ, c> j q: f h d e i 43
Interprocedural CFG as a PDS p: a b j g c <σ, c> <σ, d f> q: save return site on stack f h d e i 44
Interprocedural CFG as a PDS p: a b g c <σ, d> <σ, e> j q: f h d e i 45
Interprocedural CFG as a PDS p: a b g c <σ, e> <σ, ε> q: uncovers most recent call site j f h d e i 46
Interprocedural CFG as a PDS p: a b g c <σ, f> <σ, g> j q: f h d e i 47
Interprocedural CFG as a PDS p: a b g c <σ, g> <σ, h> j q: f h d e i 48
Interprocedural CFG as a PDS p: a b j g c <σ, h> <σ, d i> q: save return site on stack f h d e i 49
PDS Terminology Configuration <σ, B A C> σ, B A C c c’ (transition relation) c’ follows from c by a transition rule c predecessor of c’ c’ successor of c c 0 c 1 . . . cn (a run) c * c’ reflexive transitive closure of 55
PDS Terminology Configuration <KBob , my. Students > KBob , my. Students c c’ (transition relation) c’ follows from c by a transition rule c predecessor of c’ c’ successor of c c 0 c 1 . . . cn (a run) c * c’ reflexive transitive closure of 56
Basic Authorization-Access Query: <KOwner[H] , > Pre*({<K, □>, <K, ■>})? <KOwner[H] , > S = {<K, □>, <K, ■>} Pre*(S) 57
Representation Issue – <σ, A> <σ, e > – pre* ( {<σ, A>}) = { σ Ai | i ≥ 1 } . . . • The set of configurations pre*(S) can be infinite • Example <σ, AAA> <σ, A> • Solution in the PDS literature: <σ, e > Represent a set of configurations with an automaton 58
{<KAlice, >, <KAlice, >} KOwner[H] KCS KBob { , KAlice } 61
What Does the Automaton Represent? • A set of configurations: <K, a 1 … am > is in the set if there is a path K a 1 a 2 am . . . • Initial automaton represents {<KAlice, KOwner[H] KCS >, <KAlice, >} KBob KAlice { , } 62
From M to Pre*(M) <σ, A> <σ1, A 1. . . Am> A 1. . . Am σ1 A σ . . . A 1 σ A σ1 Am 63
Pre*({<KAlice, >, <KAlice, >}) my. Students faculty KOwner[H] KCS KBob { , KAlice } <KBob , my. Students > <KAlice , e> <KCS, faculty > <KBob , e> 64
Pre*({<KAlice, >, <KAlice, >}) my. Students faculty KOwner[H] KCS KBob { , KAlice } <KBob , > <KBob , my. Students ■> <KOwner[H] , > <KCS, faculty > 65
Pre*({<KAlice, >, <KAlice, >}) my. Students faculty KOwner[H] KCS KBob { , KAlice } <KOwner[H] , > Pre*({<KAlice, □>, <KAlice, ■>}) 66
Our Story • Chapter 3 (Bonus) – Applying model-checking techniques lets you answer other questions about SPKI/SDSI certificate sets [JR 02, JR 04] • What are the properties of this security policy? • What would happen if the policy were changed? 68
Certificate-Set Analysis • Expiration vulnerability query What resources will principal K be prevented from accessing if certificate set C’ expires? R 1 = pre*[C] ({<K, >, <K, >}) R 2 = pre*[C-C’] ({<K, >, <K, >}) {KOwner[R] | <KOwner[R] , > is in R 1 – R 2 } 70
Certificate-Set-Analysis • Many more — see [JR 04] • Main message: Algorithms for model checking pushdown systems can be exploited to solve several certificate-set-analysis problems 71
Our Story • Chapter 3 (Bonus) – Applying model-checking techniques lets you answer other questions about SPKI/SDSI certificate sets [JR 02, JR 04] • Chapter 4 (Bummer) – Actually, SPKI/SDSI PDS • What about issues such as recency, trust, and expiration? – From PDSs to weighted PDSs [SJRS 03] 72
Weighted Pushdown System (WPDS) [BET 03], [SJRS 03] States: { σ 1, σ 2 , σ 3 , σ 4 } Stack symbols: { A, B, C, D } Transition rules: w 1 <σ1, A> <σ2, e> w 2 <σ1, A> <σ2, B> w 3 <σ1, A> <σ2, B C> 73
Privacy using a Weighted PDS <KInsurer, □> <KH, patient ■> <KH, patient> <KAIDS, patient> <KH, patient> <KIM, patient> <KAIDS, patient> <KAlice, e> <KIM, patient> <KAlice, e> I S I I S 74
Privacy using a Weighted PDS I I I=I I S S = S <KInsurer, □> I I <KH, patient ■> S S I <KIM, patient ■> <KAIDS, patient ■> S I <KAlice, ■> I S I=I 75
Idempotent Semiring (D, , , 0, 1) [= Join Semilattice (D, , . . . )] a 0=a a b=b a a (b c) = (a b) c a a=a a b iff a b = a 1=a a (b c) = (a b) c a (b c) = (a b) (a c) (a b) c = (a c) (b c) a 0=0 a=0 76
Idempotent Semiring (D, , , 0, 1) [= Join Semilattice (D, , . . . )] a b iff a b = D 0 1 Validity N { } max min - Privacy {S, I} S I=I S I=S S + I 77
Validity using a Weighted PDS Rule KOwner[D] KAlice Validity 10 20 Request Does KAlice have the right to access D? If so, what is the cert chain with the largest validity value? 78
Validity using a Weighted PDS <KOwner[D], > 10 20 = max <KAlice, ■> max(10, 20) = 20 79
“Auth Cert Reduction is Incomplete” [LM 03] Rule KOwner[D] KAlice Authorization {read} {write} Request Does KAlice have {read, write} access to D? No RFC 2693: “Remove all certificates whose authorization is not {read, write}” 80
Authorization using a Weighted PDS <KOwner[D], > {read} Cert chain? ! {write} = <KAlice, ■> {read} {write} = {read, write} 81
Authorization using a Weighted PDS <KOwner[D], > {read} Cert tree! {write} = <KAlice, ■> {read} {write} = {read, write} 82
From M to Pre*(M) w <σ, A> <σ1, A 1. . . Am> σ1 A 1. . . Am X. . . σ w σ1 w. Am A σ A 1 A σk V V (w X) . . . X X . . . σk 86
Our Story • Chapter 3 (Bonus) – Applying model-checking techniques lets you answer other questions about SPKI/SDSI certificate sets [JR 02, JR 04] • Chapter 4 (Bummer) – Actually, SPKI/SDSI PDS • What about issues such as recency, trust, and expiration? – From PDSs to weighted PDSs [SJRS 03] • Chapter 5 (Ah!) – WPDSs provide a new framework for static program analysis that is strictly richer than 35 years worth of previous approaches [RSJ 03, RSJM 05] 87
Idempotent Semiring (D, , , 0, 1) [= Join Semilattice (D, , . . . )] a b iff a b = D Validity N { } max 0 1 min - + Privacy {S, I} S I=I S I=S S I Auth. ({rlidwka}) {rlidwka} Dataflow D id analysis 88
WPDSs: A More Powerful Program-Analysis Framework • Example: better debugging primitive – at a breakpoint at n, retrieve the stack (say S) – stack-constrained slicing: “What are the program elements that could have affected the values used at n, given that we reached n with stack S? ” 89
So What? Who Cares? [Yawn] • Check properties of programs using model checking – SLAM [Ball & Rajamani 00] – MOPS [Chen & Wagner 02] – “Metacompliation” [Engler et al. ] In essence, all are using PDSs • PDS WPDS – More powerful formalism for modeling program behaviors: How does the program transform the data? 96
Our Story Continues. . . • Traditional trust-management models provide centralized solutions – require certificates to be sent to a central site for certificate-chain discovery • not acceptable in practice – solution: distributed WPDS solver [JSWR 06, Kidd unpublished] • useful in program analysis, too • Polyhedral analysis? – “widening weights” [Gopan thesis] • Concurrent PDS model checker [CCKRT 06] – Analysis engine for model checking concurrent programs – Undecidable in general; uses semi-decision procedure [BET 03] • Context-bounded model checking – Analyze a concurrent program for a bounded number of context switches [QR 05], [LTKR 08] 102
Concurrent PDS Model Checking • CPDS: Analysis engine for model checking concurrent programs S. Chaki, E. Clarke, N. Kidd, T. Reps, and T. Touili, Verifying concurrent message-passing C programs with recursive calls, TACAS, 2006. • CPDS – Magic + an appropriate WPDS – Found a real bug in a Bluetooth driver 103
CPDS Analysis of Bluetooth Driver (I) • Model of Bluetooth driver from Windows NT – Reentrant multi-threaded library • Has known bug, found by KISS [QW 04] – 2 handler processes • each receives one request ― A: RUN; B: STOP – 2 context switches: A B A • Modeled with a CPDS – Buggy run performs 8 actions – Found in 5 seconds, using 334 MB 104
CPDS Analysis of Bluetooth Driver (II) • “Corrected” version of model obtained from S. Qadeer (Microsoft Research) • Challenge: Could we establish that it was correct? • Answers obtained by CPDS model checking: – For 2 processes, correct – For 3 processes, incorrect – Buggy run performs 14 actions – Found in 20 seconds, using 391 MB 105
CPDS Analysis of Bluetooth Driver (III) • What was the bug? – 3 handler processes; 1 request each • A 1: RUN • A 2: RUN • B: STOP – 4 context switches: A 1 B A 2 B A 1 counter = 2 counter-- finish; counter-- release resources 106
CPDS Analysis of Bluetooth Driver (IV) • Corrected, “corrected” version • Answers obtained by CPDS model checking: – For 2 processes, correct – For 3 processes, correct – For 4 processes, correct – For 5 processes, memory exhausted – [More efficient version being developed] 107
Conclusion • Built a bridge between authorization problems for distributed systems and static program analysis – Message: use model-checking techniques for the reachability problems that arise in authorization • Similar to what happened 25 years ago for HW verification – Showed how to fix a flaw in SPKI/SDSI • cert chain cert tree • Beneficial side effect: improved program-analysis methods – we use WPDSs extensively in our tools to analyze stripped x 86 executables [LRB 05, B 07] • Cross-fertilization from working on both problems together • Try them youself: Google for “WPDS++” or “WALi” 109
Questions? 110
111
Related Work • SPKI/SDSI – Clarke, Elien, Ellison, Fredette, Morcos, & Rivest [J. Comp. Sec. 01] • Pushdown systems – – Bouajjani, Esparza, & Maler [Concur 97] Finkel, Willems, & Wolper [ENTCS 97] Esparza, Hansel, Rossmanith, & Schwoon [CAV 00] Bouajjani, Esparza, & Touili [POPL 03] • Weighted-hypergraph problems – – Knuth [IPL 77] Grammar flow analysis: Möncke & Wilhelm [WAGA 91] Ramalingam thesis [LNCS #1089] Ramalingam & Reps [J. Alg 96] • Interprocedural dataflow analysis – [Cousot & Cousot 78], [Sharir & Pnueli 81], Knoop & Steffen 92] 112 – IDE framework: Sagiv, Reps, & Horwitz [TCS 96]
Other Contributions • Differential propagation [SCP 05] – Weight domain + difference operator • Simultaneous forward & backward analysis – Error projection [SAS 07] • Extended WPDS [CAV 05] – Extension for handling local variables • • Non-saturation-based pre*/post* algs. [CAV 06] Distributed algorithms for WPDS problems Implemented systems (WPDS++, WALi) Non-trivial applications in a tool for analyzing stripped executables 114
- Thomas reps
- Thomas reps
- Weighted and non weighted codes with example
- How many house of reps per state
- Sistema reps
- Weighted hybrid recommender systems
- Two stack pda examples
- Pushdown automata examples
- Pushdown automata adalah
- Pushdown accounting
- Pushdown automata exercises
- Pushdown automata implementation
- Pushdown automata implementation
- Pushdown automata examples
- Automata theory
- Pushdown automata
- Pda
- Languages accepted by pda
- Mizuhito ogawa
- Pushdown automata
- Pushdown automata
- Automata
- Radar range equation snr
- Object-oriented systems analysis and design using uml
- Radar systems analysis and design using matlab
- Threat vulnerability asset worksheet
- Threat vulnerability pairs
- Tva worksheet example
- Threat vulnerability asset worksheet
- Information asset classification worksheet
- Weighted factor analysis worksheet
- Pathologist and anthropologist
- Using system using system.collections.generic
- Dtfd switch
- Thomas king totem
- Signs of the times thomas carlyle
- Farewell love poem line by line explanation
- Practice 7-3 solving systems using elimination answer key
- Solving systems using tables and graphs
- 6-3 solving systems using elimination
- Solving word problems using systems of equations
- Managing and using information systems
- 3-6 solving systems using matrices
- Modeling of digital communication systems using simulink
- Analyzing systems using data dictionaries
- Using the neuman systems model for best practices
- 6-3 solving systems by elimination
- Modeling of digital communication systems using simulink
- Digital systems design using verilog
- Ece 526
- Global challenges in information systems
- 3-1 solving systems using tables and graphs
- 6-3 solving systems by elimination
- 6-2 solving systems using substitution
- Elimination algebra 1
- Solving systems of equations by elimination steps
- Solve each equation by substitution
- 6-3 solving linear systems using inverses and cramer's rule
- Integration using tables and computer algebra systems
- 6-3 solving systems using elimination
- "patch operating systems and applications using"
- "patch operating systems and applications using"
- Using the neuman systems model for best practices
- Weighted interval scheduling
- Time weighted return
- Weighted methods per class
- Risk weighted assets formula
- Weighted kypho-orthosis
- Floyd warshall algorithm transitive closure
- Sppd nielsen คือ
- Non-monotonic
- Spline
- Edgenuity definition
- Unweighted 0-1 factor model
- Highest weighted gpa
- Whats a good weighted gpa
- Activity-selection problem
- G=(v,e)
- What is a weighted gpa
- Goal programming formulation example
- Weighted factor scoring model
- Weighted-union heuristic
- Binary weighted resistor dac
- Binary weighted resistor dac
- Pre-tax cost of debt formula
- Weighted code
- Price weighted index
- Weighted average inventory costing method
- How to compute legal capital