Scribd
Upload
11 views18 pages

lecture10

language based security

Uploaded by

g18603914990
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views18 pages

lecture10

language based security

Uploaded by

g18603914990
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Program Analysis

10. Advanced Iteration Techniques

Kihong Heo

1
Advanced Analysis Techniques

• So far, our focus most has been sound abstract semantics

• From now on, we will cover several advanced techniques to achieve e cient
and accurate analysis

program states program states

error states error states

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 2 / 18

ffi
Iteration Strategies

• Loop invariant inference: sequences of abstract iterations

• Compute weaker and weaker abstract states until stabilization (via join and widening)

• “Loop is evil”: a main source of imprecision in static analysis

• Needs for techniques to improve the precision

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 3 / 18


Problem 1: Overused Widening

• Recall the worklist algorithm


X : L ! M]
<latexit sha1_base64="CplMgNdsuo0H8dIRfsHWG+EKHzk=">AAAGOHicjVRPaxNBFN/WRGv81+rRy2CxpFBKUoqKKBQE8aBSwbaBTgyzs2+TIbMzm5lZY1g238qLH8ObePGgiFc/gbObbbrZDbUDC2/ee7/35/dmnxtypk2r9W1l9UqtfvXa2vXGjZu3bt9Z37h7rGWkKBxRyaXquEQDZwKODDMcOqECErgcTtzhi9R+8hGUZlK8N5MQugHpC+YzSoxV9TZqb7c66CnCATED141fJ9jI+e1N8iHGekBUmGDc2Ho5v1lE87+QbZQaLuGXxs70zMQnUg3TttMUeBwW0DM3A5+M9mMX+kxkReFRRDxUhWMOviFKyXGxuTmgs+DgSlOIledQEAIx55iZtTneqWbbrqSz+FCGSbPqWooXzHnoxZJ7C4WjTnN8kb+A8WKjLuvrEY1ChOOin6XKVsVsa5yIPgfEd2xobqtWszseSDlUrD+YBTqf8xnANl0KmENxmZ+L6qs2O8VGsSyQJ8diWkGXgp9Ry/xpsiSTsGPUIx25GgyMKtmmZ3AzAFEKnb8Ky3ex4IvLuezTKxqxnQ6O+eI4SuxmmS47GTtK3Jt7lyvMGwbhMT+pPvFIGMZRsqSH5whDEJqJZRIt+zVMpIQFdoo/pc2S9NY3W7ut7KCq0M6FTSc/h731r9iTNApAGMqJ1qftVmi6MVGGUQ5JA0caQkKHpA+nVhQkAN2Ns8WXoIdW4yFfKvsJgzJtERGTQOtJ4FrPjImyLVUus51Gxn/Stc88jAwIOkvkRxzZDZZuUeQxBdTwiRUIVczWiqidC6HG7tqGJaFdbrkqHO/tth/t7r/b3zx4ltOx5tx3HjhNp+08dg6cV86hc+TQ2ufa99rP2q/6l/qP+u/6n5nr6kqOuecsnPrff+bRNMI=</latexit>

F ] : (L ! M] ) ! (L ! M] )
Worklist : }(L)
begin
Worklist L
X ?
repeat
(w, Worklist) pop(Worklist)
m]old X(w) Widening Everywhere?
G ]
m]new {min | hl, X(l)i ,!] hw, m]in i}
m]new m]old O m]new
if m]new 6v m]old then
X(w) m]new
Worklist Worklist [ {l | hw, m]new i ,!] hl, i}
endif
until Worklist = ;
return X
end

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 4 / 18


Example

• Consider an analysis with the interval abstract domain


0

2
1 x = 1
x = 0
x [1,1]
3
x [0,0]

t ❓
5 x [0,1] = x [0,+∞] 😟

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 5 / 18


Solution: Selective Widening

• Apply widening only when the label is the target of a cycling control ow

• e.g., while-loop heads, targets of cycling gotos, (spurious) call-cycle

• For other labels, apply the join operation instead

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 6 / 18

fl
Case 1: Loop Heads

// i = [0,0]
// x = [0,1]

i [0,0] 5 i [0,1] = i [0,+∞]


while (*)

if (x == 1)

x = x - 1 x = x + 1
… …

i++

x [0,0] t x [0,1] = x [0,1] 👍


10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 7 / 18
Case 2: Call-cycle

• Widening when a recursive call-cycle exists

g++
5
void f() {
g++; f();
f();

return; …
} 5
return;

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 8 / 18


Case 2: Call-cycle (Cont’d)

• Widening when even spurious-cycle happens

• For example, context-insensitive analysis

g++

int main() {
g++; f(); entry
f(); // non-recursive
f();
return; f(); exit
}
5

return;

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 9 / 18


Caveat

• In general, cycle detection cannot be done before analysis

• control- ow is dynamic (e.g., higher-order functions, exceptions, etc)

• Possible solutions:

• online cycle-detection (during analysis): precise but costly

• o ine cycle-detection with pre-analysis (before analysis): imprecise but lightweight

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 10 / 18


ffl
fl
Problem 2: Hasty Join
x = ?; // any value
i = 1;
while (i > 0) {
if(x < 0 || x > 1000) {
// [-∞, +∞] Initialization step
x = 0;
} else {
// [0, 1000]
x = x + 1;
}
input(i);
}
// actually, x is in [0, 1001]

• The abstract value for x with a naive approach would be [-∞, +∞]

• Idea: detach the rst iteration from the rest

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 11 / 18


fi
Solution: Loop Unrolling

x = ?; // any value
i = 1;

}
x = ?; // any value if(x < 0 || x > 1000) {
i = 1; x = 0;
} else { rst iter.
while (i > 0) {
if(x < 0 || x > 1000) { x = x + 1;
x = 0; }
} else { input(i);
// x is in [0, 1001]

}
x = x + 1;
} while (i > 0) {
input(i); if(x < 0 || x > 1000) {
} x = 0;
// actually, x is in [0, 1001] } else { rest
x = x + 1;
}
input(i);
}
// x is in [0, 1001]

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 12 / 18


fi
Problem 3: Hasty Widening

x = 0;
while (*) {
if(*) {
x = -1;
} else { x [0,0] 5 x [-1,1] = x [-∞,+∞]
x = x + 1;
}
}
// x >= -1

• The abstract value of x with a naive approach would be [-∞, +∞]

• Idea: delay the application of widening for the rst N iterations

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 13 / 18


fi
Solution: Delayed Widening

Delayed widening where N = 1


x = 0;
while (*) { x [0,0] t x [-1,1] = x [-1,1]
if(*) {
x = -1;
} else { x [-1,1] 5 x [-1,2] = x [-1,+∞]
x = x + 1;
}
} x [-1,+∞] 5 x [-1,+∞] = x [-1,+∞]

// x >= -1
Fixed Point!

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 14 / 18


Problem 4: Excessive Widening

x = 0;
// actually, x is in [0, 50]
while (x <= 100) {
if(x >= 50) { x [0,0] 5 x [0,1] = x [0,+∞]

x = 10;
} else {
x = x + 1;
}
}

• The abstract value of x with a naive approach is [0, +∞]

• Idea: use a slower and more precise widening

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 15 / 18


Solution: Widening with Thresholds

• Take several small steps and stops at pre-de ned threshold values

• For example, consider only one threshold B:

A naive widening operator A widening with thresholds

( 8
>
<[n, p] if p q
[n, p] if p q
[n, p] O [n, q] = [n, p] O [n, q] = [n, B] if p < q  B
[n, +1] if p < q >
:
[n, +1] if B < q

*only the right bounds, for brevity

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 16 / 18


fi
Widening with Thresholds

Thresholds = {50}
x = 0;
while (x <= 100) { 5
x [0,0] x [0,1] = x [0,50]
if(x >= 50) {
x = 10;
} else { x [0,50] 5 x [0,50] = x [0,50]
x = x + 1;
}
}
Fixed Point!

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 17 / 18


Summary

• “Loop is evil”: one of the main source of imprecision

• Important to design e ective iteration techniques

• no universal solutions

• depending on the target program’s characteristics

• Need for domain knowledge (human experts or learning techniques)

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 18 / 18


ff

You might also like