18 research outputs found
A Static Analyzer for Large Safety-Critical Software
We show that abstract interpretation-based static program analysis can be
made efficient and precise enough to formally verify a class of properties for
a family of large programs with few or no false alarms. This is achieved by
refinement of a general purpose static analyzer and later adaptation to
particular programs of the family by the end-user through parametrization. This
is applied to the proof of soundness of data manipulation operations at the
machine level for periodic synchronous safety critical embedded software. The
main novelties are the design principle of static analyzers by refinement and
adaptation through parametrization, the symbolic manipulation of expressions to
improve the precision of abstract transfer functions, the octagon, ellipsoid,
and decision tree abstract domains, all with sound handling of rounding errors
in floating point computations, widening strategies (with thresholds, delayed)
and the automatic determination of the parameters (parametrized packing)
Predicate Abstraction with Under-approximation Refinement
We propose an abstraction-based model checking method which relies on
refinement of an under-approximation of the feasible behaviors of the system
under analysis. The method preserves errors to safety properties, since all
analyzed behaviors are feasible by definition. The method does not require an
abstract transition relation to be generated, but instead executes the concrete
transitions while storing abstract versions of the concrete states, as
specified by a set of abstraction predicates. For each explored transition the
method checks, with the help of a theorem prover, whether there is any loss of
precision introduced by abstraction. The results of these checks are used to
decide termination or to refine the abstraction by generating new abstraction
predicates. If the (possibly infinite) concrete system under analysis has a
finite bisimulation quotient, then the method is guaranteed to eventually
explore an equivalent finite bisimilar structure. We illustrate the application
of the approach for checking concurrent programs.Comment: 22 pages, 3 figures, accepted for publication in Logical Methods in
Computer Science journal (special issue CAV 2005
Static program analysis for string manipulation languages
In recent years, dynamic languages, such as JavaScript or Python, have been increasingly used in a wide range of fields and applications. Their tricky and misunderstood behaviors pose a hard challenge for static analysis of these programming languages. A key aspect of any dynamic language program is the multiple usage of strings, since they can be implicitly converted to another type value, transformed by string-to-code primitives or used to access an object-property. Unfortunately, string analyses for dynamic languages still lack precision and do not take into account some important string features. Moreover, string obfuscation is very popular in the context of dynamic language malicious code, for example, to hide code information inside strings and then to dynamically transform strings into executable code. In this scenario, more precise string analyses become a necessity. This paper is placed in the context of static string analysis by abstract interpretation and proposes a new semantics for string analysis, placing a first step for handling dynamic languages string features
Incompleteness of States w.r.t. Traces in Model Checking
Cousot and Cousot introduced and studied a general past/future-time
specification language, called mu*-calculus, featuring a natural time-symmetric
trace-based semantics. The standard state-based semantics of the mu*-calculus
is an abstract interpretation of its trace-based semantics, which turns out to
be incomplete (i.e., trace-incomplete), even for finite systems. As a
consequence, standard state-based model checking of the mu*-calculus is
incomplete w.r.t. trace-based model checking. This paper shows that any
refinement or abstraction of the domain of sets of states induces a
corresponding semantics which is still trace-incomplete for any propositional
fragment of the mu*-calculus. This derives from a number of results, one for
each incomplete logical/temporal connective of the mu*-calculus, that
characterize the structure of models, i.e. transition systems, whose
corresponding state-based semantics of the mu*-calculus is trace-complete
Generalizing the Paige-Tarjan Algorithm by Abstract Interpretation
The Paige and Tarjan algorithm (PT) for computing the coarsest refinement of
a state partition which is a bisimulation on some Kripke structure is well
known. It is also well known in model checking that bisimulation is equivalent
to strong preservation of CTL, or, equivalently, of Hennessy-Milner logic.
Drawing on these observations, we analyze the basic steps of the PT algorithm
from an abstract interpretation perspective, which allows us to reason on
strong preservation in the context of generic inductively defined (temporal)
languages and of possibly non-partitioning abstract models specified by
abstract interpretation. This leads us to design a generalized Paige-Tarjan
algorithm, called GPT, for computing the minimal refinement of an abstract
interpretation-based model that strongly preserves some given language. It
turns out that PT is a straight instance of GPT on the domain of state
partitions for the case of strong preservation of Hennessy-Milner logic. We
provide a number of examples showing that GPT is of general use. We first show
how a well-known efficient algorithm for computing stuttering equivalence can
be viewed as a simple instance of GPT. We then instantiate GPT in order to
design a new efficient algorithm for computing simulation equivalence that is
competitive with the best available algorithms. Finally, we show how GPT allows
to compute new strongly preserving abstract models by providing an efficient
algorithm that computes the coarsest refinement of a given partition that
strongly preserves the language generated by the reachability operator.Comment: Keywords: Abstract interpretation, abstract model checking, strong
preservation, Paige-Tarjan algorithm, refinement algorith
Abstract interpretation-based approaches to Security - A Survey on Abstract Non-Interference and its Challenging Applications.
In this paper we provide a survey on the framework of abstract non-interference. In particular, we describe a general formalization of abstract non-interference by means of three dimensions (observation, protection and semantics) that can be instantiated in order to obtain well known or even new weakened non-interference properties. Then, we show that the notions of abstract non-interference introduced in language-based security are instances of this more general framework which allows to better understand the different components of a non-interference policy. Finally, we consider two challenging research fields concerning security where abstract non-interference seems a promising approach providing new perspectives and new solutions to open problems: Code injection and code obfuscation
Generalized Strong Preservation by Abstract Interpretation
Standard abstract model checking relies on abstract Kripke structures which
approximate concrete models by gluing together indistinguishable states, namely
by a partition of the concrete state space. Strong preservation for a
specification language L encodes the equivalence of concrete and abstract model
checking of formulas in L. We show how abstract interpretation can be used to
design abstract models that are more general than abstract Kripke structures.
Accordingly, strong preservation is generalized to abstract
interpretation-based models and precisely related to the concept of
completeness in abstract interpretation. The problem of minimally refining an
abstract model in order to make it strongly preserving for some language L can
be formulated as a minimal domain refinement in abstract interpretation in
order to get completeness w.r.t. the logical/temporal operators of L. It turns
out that this refined strongly preserving abstract model always exists and can
be characterized as a greatest fixed point. As a consequence, some well-known
behavioural equivalences, like bisimulation, simulation and stuttering, and
their corresponding partition refinement algorithms can be elegantly
characterized in abstract interpretation as completeness properties and
refinements
Code obfuscation against abstraction refinement attacks
Code protection technologies require anti reverse engineering transformations to obfuscate programs in such a way that tools and methods for program analysis become ineffective. We introduce the concept of model deformation inducing an effective code obfuscation against attacks performed by abstract model checking. This means complicating the model in such a way a high number of spurious traces are generated in any formal verification of the property to disclose about the system under attack.We transform the program model in order to make the removal of spurious counterexamples by abstraction refinement maximally inefficient. Because our approach is intended to defeat the fundamental abstraction refinement strategy, we are independent from the specific attack carried out by abstract model checking. A measure of the quality of the obfuscation obtained by model deformation is given together with a corresponding best obfuscation strategy for abstract model checking based on partition refinement