Kaninda Musumbu

DOI: https://doi.org/10.48550/arXiv.0902.1871

2009-02-11

Abstract:interpretation is a general methodology for building static analyses of programs. It was introduced by P. and R. Cousot in \cite{cc}. We present, in this paper, an application of a generic abstract interpretation to domain of model-checking. Dynamic checking are usually easier to use, because the concept are establishe d and wide well know. But they are usually limited to systems whose states space is finite. In an other part, certain faults cannot be detected dynamically, even by keeping track of the history of the states <a class="link-external link-http" href="http://space.Indeed" rel="external noopener nofollow">this http URL</a>, the classical problem of finding the right test cases is far from trivial and limit the abilities of dynamic checkers further. Static checking have the advantage that they work on a more abstract level than dynamic checker and can verify system properties for all inputs. Problem, it is hard to guarantee that a violation of a modeled property corresponds to a fault in the concrete system. We propose an approach, in which we generate counter-examples dynamically using the abstract interpretation techniques.

Data Structures and Algorithms,Symbolic Computation

Sandrine Blazy,Vincent Laporte,David Pichardie

DOI: https://doi.org/10.1007/s10817-015-9359-8

2016-01-25

Journal of Automated Reasoning

Abstract:Static analysis of binary code is challenging for several reasons. In particular, standard static analysis techniques operate over control-flow graphs, which are not available when dealing with self-modifying programs which can modify their own code at runtime. We formalize in the Coq proof assistant some key abstract interpretation techniques that automatically extract memory safety properties from binary code. Our analyzer is formally proved correct and has been run on several self-modifying challenges, provided by Cai et al. in their PLDI 2007 article.

computer science, artificial intelligence

Qingyu Jiang,Jing Liu,Haodong Hu

DOI: https://doi.org/10.1109/apsec.2018.00026

2018-01-01

Abstract:Ensuring the reliability of concurrency software systems is difficult due to the interaction between threads. This article discusses the requirements for formal verification of concurrent embedded software and proposes a constraint-based flow-sensitive static analysis for concurrent avionics software by iteratively composing thread-modular abstract interpreters. These constraint are based on data-flow graphs and used to rule out patterns of thread interference that can not occur in a real program execution. Our new method has the advantage of being more accurate than existing, flow-insensitive, static avionics analyzers while remaining scalable and providing the expected soundness and termination guarantees. We implemented our method and evaluated it on an industrial setting, hinting at the maturity of our approach.

HOU Su-ning,CHEN Li-qian,WANG Zhao-fei,WANG Ji

DOI: https://doi.org/10.3969/j.issn.1007-130x.2011.03.018

2011-01-01

Abstract:The validation of program correctness is a challenge problem in computer science.The theory of abstract interpretation provides a general framework for static analysis which can deduce programs' dynamic property automatically.A value range analysis based on abstract interpretation can give the invariant relationship of variables at every program point,which is very important to compilation optimization and error examination.We propose an interprocedural framework that analyses the value range information of numerical programs,which can process C and Fortran programs.The C or Fortran source program is first preprocessed to an uniform representation,and then we draw the semantic equation which is equivalent to the source semantics.Finally,the iterative computation is done on this syntax equation to get the program invariant.Besides,we model some complex syntax structures such as array.The experiment indicates that our framework is very extensive and precise,and can process most problems brought by the usage of array.

Jesko Hecking-Harbusch,Jochen Quante,Maximilian Schlund

DOI: https://doi.org/10.48550/arXiv.2310.16468

2023-10-25

Abstract:Modern automotive software is highly complex and consists of millions lines of code. For safety-relevant automotive software, it is recommended to use sound static program analysis to prove the absence of runtime errors. However, the analysis is often perceived as burdensome by developers because it runs for a long time and produces many false alarms. If the analysis is performed on the integrated software system, there is a scalability problem, and the analysis is only possible at a late stage of development. If the analysis is performed on individual modules instead, this is possible at an early stage of development, but the usage context of modules is missing, which leads to too many false alarms. In this case study, we present how automatically inferred contracts add context to module-level analysis. Leveraging these contracts with an off-the-shelf tool for abstract interpretation makes module-level analysis more precise and more scalable. We evaluate this framework quantitatively on industrial case studies from different automotive domains. Additionally, we report on our qualitative experience for the verification of large-scale embedded software projects.

Software Engineering

James Ian Johnson

DOI: https://doi.org/10.48550/arXiv.1504.08033

2015-04-29

Programming Languages

Abstract:Static program analysis is a valuable tool for any programming language that people write programs in. The prevalence of scripting languages in the world suggests programming language interpreters are relatively easy to write. Users of these languages lament their inability to analyze their code, therefore programming language analyzers are not easy to write. This thesis investigates a systematic method of creating abstract interpreters from traditional interpreters, called Abstracting Abstract Machines. Abstract interpreters are difficult to develop due to technical, theoretical, and pragmatic problems. Technical problems include engineering data structures and algorithms. I show that modest and simple changes to the mathematical presentation of abstract machines result in 1000 times better running time - just seconds for moderately sized programs. In the theoretical realm, abstraction can make correctness difficult to ascertain. I provide proof techniques for proving the correctness of regular, pushdown, and stack-inspecting pushdown models of abstract computation by leaving computational power to an external factor: allocation. Even if we don't trust the proof, we can run models concretely against test suites to better trust them. In the pragmatic realm, I show that the systematic process of abstracting abstract machines is automatable. I develop a meta-language for expressing abstract machines similar to other semantics engineering languages. The language's special feature is that it provides an interface to abstract allocation. The semantics guarantees that if allocation is finite, then the semantics is a sound and computable approximation of the concrete semantics.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Martin Kardos,Yuhong Zhao

DOI: https://doi.org/10.1007/1-4020-8149-9_3

2004-01-01

Abstract:System level design incorporating system modeling and formal specification in combination with formal verification can substantially contribute to the correctness and quality of the embedded systems and consequently help reduce the development costs. Ensuring the correctness of the designed system is, of course, a crucial design criterion especially when complex distributed (realtime) embedded systems are considered. Therefore, this paper aims at presenting a verification framework designated for formal verification and validation of UML-based design of embedded systems. It first introduces an approach of using the AsmL language for acquiring formal models of the UML semantics and consequently presents an on-the-fly model checking technique designed to run the formal verification directly over those semantic models.

Bowen Zhang,Wei Chen,Hung-Chun Chiu,Charles Zhang

2024-05-21

Abstract:Static analysis techniques enhance the security, performance, and reliability of programs by analyzing and portraiting program behaviors without the need for actual execution. In essence, static analysis takes the Intermediate Representation (IR) of a target program as input to retrieve essential program information and understand the program. However, there is a lack of systematic analysis on the benefit of IR for static analysis, besides serving as an information provider. In general, a modern static analysis framework should possess the ability to conduct diverse analyses on different languages, producing reliable results with minimal time consumption, and offering extensive customization options. In this survey, we systematically characterize these goals and review the potential solutions from the perspective of IR. It can serve as a manual for learners and practitioners in the static analysis field to better understand IR design. Meanwhile, numerous research opportunities are revealed for researchers.

Programming Languages,Software Engineering

David Monniaux

DOI: https://doi.org/10.48550/arXiv.2211.09572

2023-05-25

Abstract:Static analysis by abstract interpretation is generally designed to be ''sound'', that is, it should not claim to establish properties that do not hold-in other words, not provide ''false negatives'' about possible bugs. A rarer requirement is that it should be ''complete'', meaning that it should be able to infer certain properties if they hold. This paper describes a number of practical issues and questions related to completeness that I have come across over the years.

Programming Languages

Gabor Horvath,Reka Kovacs,Richard Szalay,Zoltan Porkolab

2024-08-11

Abstract:Static analysis is a method of analyzing source code without executing it. It is widely used to find bugs and code smells in industrial software. Besides other methods, the most important techniques are those based on the abstract syntax tree and those performing symbolic execution. Both of these methods found their role in modern software development as they have different advantages and limitations. In this tutorial, we present two problems from the C++ programming language: the elimination of redundant pointers, and the reporting of dangling pointers originating from incorrect use of the std::string class. These two issues have different theoretical backgrounds and finding them requires different implementation techniques. We will provide a step-by-step guide to implement the checkers (software to identify the aforementioned problems) - one based on the abstract syntax analysis method, the other exploring the possibilities of symbolic execution. The methods are explained in great detail and supported by code examples. The intended audience for this tutorial are both architects of static analysis tools and developers who want to understand the advantages and constraints of the different methods.

Software Engineering

Yuting Yang,Rui Wang,Youchen Wang,Xu Miao,Bing Liu,Shan Jiang

DOI: https://doi.org/10.1109/dsa56465.2022.00087

2022-01-01

Abstract:In the static analysis of Simulink models, there always exist false positives in the model rule checking results. Research shows that one of the important reasons is that the checking process ignores the model context information, which makes the program unable to make accurate judgments and warning potential risks. In response to this problem, researchers propose an optimization method based on model slicing and abstract interpretation to optimize the inspection results includes variable values or variable types. The optimization method first obtains the backward model slice that may affect the problem module as the focus of the analysis, converts the slice into a three-address code program, and constructs a control flow graph (CFG) after completing the basic block analysis of the program. At the same time, the abstract explanation theory is used to design and execute iterative algorithms for possible problems and constructed control flow graphs, infer variable values or variable types, and finally complete the optimization of the inspection results. In this paper, the effectiveness of our method is applied in two experiments and achieves decent performance.

Chi ZHANG,Zhi-qiu HUANG,Ze-wen DING,Lin-wu Liu

DOI: https://doi.org/10.3969/j.issn.1003-6199.2017.03.025

2017-01-01

Abstract:How to ensure software safety has become an important subject in safety critical domain .Ensuring the absence of run-time errors in the program is very important for the safety of the software .The program semantics was abstracted by the static analysis method based on abstract interpretation ,and it is one of the most appropriate formal methods for validating run-time errors .Configurable program analysis is a general analytical framework for a variety of static analysis methods .The CPA is used to model the abstraction analysis method ,and the validation process of using CPA-based abstract interpretation method to verify the run-time errors in the program is given .Then the effectiveness of the method is illustrated by an example .This provides a feasible solution for the automatic analysis and verification of run-time errors in the program .

Matthieu Lemerre,Sébastien Bardin

DOI: https://doi.org/10.48550/arXiv.1712.10058

2017-12-29

Abstract:The traditional abstract domain framework for imperative programs suffers from several shortcomings; in particular it does not allow precise symbolic abstractions. To solve these problems, we propose a new abstract interpretation framework, based on symbolic expressions used both as an abstraction of the program, and as the input analyzed by abstract domains. We demonstrate new applications of the frame- work: an abstract domain that efficiently propagates constraints across the whole program; a new formalization of functor domains as approximate translation, which allows the production of approximate programs, on which we can perform classical symbolic techniques. We used these to build a complete analyzer for embedded C programs, that demonstrates the practical applicability of the framework.

Software Engineering

A. Tiwari,N. Shankar,J. Rushby

DOI: https://doi.org/10.1109/jproc.2002.805818

IF: 20.6

2003-01-01

Proceedings of the IEEE

Abstract:Embedded control systems typically comprise continuous control laws combined with discrete mode logic. These systems are modeled using a hybrid automaton formalism, which is obtained by combining the discrete transition system formalism with continuous dynamical systems. This paper develops automated analysis techniques for asserting correctness of hybrid system designs. Our approach is based on symbolic representation of the state space of the system using mathematical formulas in an appropriate logic. Such formulas are manipulated using symbolic theorem proving techniques. It is important that formal analysis should be unobtrusive and acceptable to engineering practice. We motivate a methodology called invisible formal methods that provides a graded sequence of formal analysis technologies ranging from extended typechecking, through approximation and abstraction, to model checking and theorem proving. As an instance of invisible formal methods, we describe techniques to check inductive invariants, or extended types, for hybrid systems and compute discrete finite state abstractions automatically to perform reachability set computation. The abstract system is sound with respect to the formal semantics of hybrid automata. We also discuss techniques for performing analysis on nonstandard semantics of hybrid automata. We also briefly discuss the problem of translating models in Simulink/Stateflow language, which is widely used in practice, into the modeling formalisms, like hybrid automata, for which analysis tools are being developed.

engineering, electrical & electronic

Laurent Hubert,Nicolas Barré,Frédéric Besson,Delphine Demange,Thomas Jensen,Vincent Monfort,David Pichardie,Tiphaine Turpin

DOI: https://doi.org/10.1007/978-3-642-18070-5_7

2010-07-20

Abstract:Static analysis is a powerful technique for automatic verification of programs but raises major engineering challenges when developing a full-fledged analyzer for a realistic language such as Java. This paper describes the Sawja library: a static analysis framework fully compliant with Java 6 which provides OCaml modules for efficiently manipulating Java bytecode programs. We present the main features of the library, including (i) efficient functional data-structures for representing program with implicit sharing and lazy parsing, (ii) an intermediate stack-less representation, and (iii) fast computation and manipulation of complete programs.

Programming Languages

Julian Erhard,Simmo Saan,Sarah Tilscher,Michael Schwarz,Karoliine Holter,Vesal Vojdani,Helmut Seidl

DOI: https://doi.org/10.1007/s10009-024-00768-9

2024-09-25

International Journal on Software Tools for Technology Transfer

Abstract:To put sound program analysis at the fingertips of the software developer, we propose a framework for interactive abstract interpretation of multithreaded C code. interpretation provides sound analysis results, but can be quite costly in general. To achieve quick response times, we incrementalize the analysis infrastructure, including postprocessing, without necessitating any modifications to the analysis specifications themselves. We rely on the local generic fixpoint engine TD – which we enhance with reluctant destabilization to minimize reanalysis effort. Dedicated further improvements support precise incremental analysis of program properties that include concurrency deficiencies such as data-races. The framework has been implemented in the static analyzer Goblint , and combined with the MagpieBridge framework to relay findings to IDEs. We evaluate our implementation w.r.t. the yard sticks of response time and consistency. We also provide examples of program development highlighting the usability of our approach.

computer science, software engineering

Hongliang Liang,Lei Wang,Dongyang Wu,Jiuyun Xu

DOI: https://doi.org/10.2991/ijndc.2016.4.3.1

2016-01-01

International Journal of Networked and Distributed Computing

Abstract:Program bugs may result in unexpected software error, crash or serious security attack. Static program analysis is one of the most common methods to find program bugs. In this paper we present MLSA -- a static analysis tool based on LLVM Intermediate Representation (IR), which can analyze programs written in multiple programming languages. MLSA combines symbolic execution with Z3 SMT solver to find bugs. At present, MLSA can detect some kinds of bugs, such as divide zero error, pointer overflow and dead code. Moreover, as a framework, MLSA follows the scalability and extensibility principles, which can help detect other types of bugs. Experiments show that MLSA is effective in finding bugs in real world software.

Lian Yu,Jun Zhou,Yue Yi,Ping Li,Qianxiang Wang

DOI: https://doi.org/10.1109/compsac.2008.73

2008-01-01

Abstract:Typical enterprise and military software systems consist of millions of lines of code with complicated dependence on diverse library abstractions. Manually debugging these codes imposes developers overwhelming workload and difficulties. To address software quality concerns efficiently, this paper proposes an ontology-based static analysis approach to automatically detect bugs in the source code of Java programs. First, we elaborate bug list collected, classify bugs into different categories, and translate bug patterns into SWRL (semantic Web rule language) rules using an ontology tool, Protege. An ontology model of Java program is created according to Java program specification using Protege as well. Both SWRL rules and the program ontology model are exported in OWL (Web ontology language) format. Second, Java source code under analysis is parsed into the abstract syntax tree (AST), which is automatically mapped to the individuals of the program ontology model. SWRL bridge takes in the exported OWL file (representing the SWRL rules model and program ontology model) and the individuals created for the Java code, conduits to Jess (a rule engine), and obtains inference results indicating any bugs. We perform experiments to compare bug detection capability with well-known FindBugs tool. A prototype of bug detector tool is developed to show the validity of the proposed static analysis approach.

Martin Bodin,Thomas Jensen,Alan Schmitt

DOI: https://doi.org/10.48550/arXiv.1309.5149

2013-09-20

Programming Languages

Abstract:We present a technique for deriving semantic program analyses from a natural semantics specification of the programming language. The technique is based on a particular kind of semantics called pretty-big-step semantics. We present a pretty-big-step semantics of a language with simple objects called O'While and specify a series of instrumentations of the semantics that explicitates the flows of values in a program. This leads to a semantics-based dependency analysis, at the core, e.g., of tainting analysis in software security. The formalization has been realized with the Coq proof assistant.