445 research outputs found
Faster Algorithms for Weighted Recursive State Machines
Pushdown systems (PDSs) and recursive state machines (RSMs), which are
linearly equivalent, are standard models for interprocedural analysis. Yet RSMs
are more convenient as they (a) explicitly model function calls and returns,
and (b) specify many natural parameters for algorithmic analysis, e.g., the
number of entries and exits. We consider a general framework where RSM
transitions are labeled from a semiring and path properties are algebraic with
semiring operations, which can model, e.g., interprocedural reachability and
dataflow analysis problems.
Our main contributions are new algorithms for several fundamental problems.
As compared to a direct translation of RSMs to PDSs and the best-known existing
bounds of PDSs, our analysis algorithm improves the complexity for
finite-height semirings (that subsumes reachability and standard dataflow
properties). We further consider the problem of extracting distance values from
the representation structures computed by our algorithm, and give efficient
algorithms that distinguish the complexity of a one-time preprocessing from the
complexity of each individual query. Another advantage of our algorithm is that
our improvements carry over to the concurrent setting, where we improve the
best-known complexity for the context-bounded analysis of concurrent RSMs.
Finally, we provide a prototype implementation that gives a significant
speed-up on several benchmarks from the SLAM/SDV project
Sound and Precise Malware Analysis for Android via Pushdown Reachability and Entry-Point Saturation
We present Anadroid, a static malware analysis framework for Android apps.
Anadroid exploits two techniques to soundly raise precision: (1) it uses a
pushdown system to precisely model dynamically dispatched interprocedural and
exception-driven control-flow; (2) it uses Entry-Point Saturation (EPS) to
soundly approximate all possible interleavings of asynchronous entry points in
Android applications. (It also integrates static taint-flow analysis and least
permissions analysis to expand the class of malicious behaviors which it can
catch.) Anadroid provides rich user interface support for human analysts which
must ultimately rule on the "maliciousness" of a behavior.
To demonstrate the effectiveness of Anadroid's malware analysis, we had teams
of analysts analyze a challenge suite of 52 Android applications released as
part of the Auto- mated Program Analysis for Cybersecurity (APAC) DARPA
program. The first team analyzed the apps using a ver- sion of Anadroid that
uses traditional (finite-state-machine-based) control-flow-analysis found in
existing malware analysis tools; the second team analyzed the apps using a
version of Anadroid that uses our enhanced pushdown-based
control-flow-analysis. We measured machine analysis time, human analyst time,
and their accuracy in flagging malicious applications. With pushdown analysis,
we found statistically significant (p < 0.05) decreases in time: from 85
minutes per app to 35 minutes per app in human plus machine analysis time; and
statistically significant (p < 0.05) increases in accuracy with the
pushdown-driven analyzer: from 71% correct identification to 95% correct
identification.Comment: Appears in 3rd Annual ACM CCS workshop on Security and Privacy in
SmartPhones and Mobile Devices (SPSM'13), Berlin, Germany, 201
Generating Predicate Callback Summaries for the Android Framework
One of the challenges of analyzing, testing and debugging Android apps is
that the potential execution orders of callbacks are missing from the apps'
source code. However, bugs, vulnerabilities and refactoring transformations
have been found to be related to callback sequences. Existing work on control
flow analysis of Android apps have mainly focused on analyzing GUI events. GUI
events, although being a key part of determining control flow of Android apps,
do not offer a complete picture. Our observation is that orthogonal to GUI
events, the Android API calls also play an important role in determining the
order of callbacks. In the past, such control flow information has been modeled
manually. This paper presents a complementary solution of constructing program
paths for Android apps. We proposed a specification technique, called Predicate
Callback Summary (PCS), that represents the callback control flow information
(including callback sequences as well as the conditions under which the
callbacks are invoked) in Android API methods and developed static analysis
techniques to automatically compute and apply such summaries to construct apps'
callback sequences. Our experiments show that by applying PCSs, we are able to
construct Android apps' control flow graphs, including inter-callback
relations, and also to detect infeasible paths involving multiple callbacks.
Such control flow information can help program analysis and testing tools to
report more precise results. Our detailed experimental data is available at:
http://goo.gl/NBPrKsComment: 11 page
Safety verification of asynchronous pushdown systems with shaped stacks
In this paper, we study the program-point reachability problem of concurrent
pushdown systems that communicate via unbounded and unordered message buffers.
Our goal is to relax the common restriction that messages can only be retrieved
by a pushdown process when its stack is empty. We use the notion of partially
commutative context-free grammars to describe a new class of asynchronously
communicating pushdown systems with a mild shape constraint on the stacks for
which the program-point coverability problem remains decidable. Stacks that fit
the shape constraint may reach arbitrary heights; further a process may execute
any communication action (be it process creation, message send or retrieval)
whether or not its stack is empty. This class extends previous computational
models studied in the context of asynchronous programs, and enables the safety
verification of a large class of message passing programs
Enabling Additional Parallelism in Asynchronous JavaScript Applications
JavaScript is a single-threaded programming language, so asynchronous programming is practiced out of necessity to ensure that applications remain responsive in the presence of user input or interactions with file systems and networks. However, many JavaScript applications execute in environments that do exhibit concurrency by, e.g., interacting with multiple or concurrent servers, or by using file systems managed by operating systems that support concurrent I/O. In this paper, we demonstrate that JavaScript programmers often schedule asynchronous I/O operations suboptimally, and that reordering such operations may yield significant performance benefits. Concretely, we define a static side-effect analysis that can be used to determine how asynchronous I/O operations can be refactored so that asynchronous I/O-related requests are made as early as possible, and so that the results of these requests are awaited as late as possible. While our static analysis is potentially unsound, we have not encountered any situations where it suggested reorderings that change program behavior. We evaluate the refactoring on 20 applications that perform file- or network-related I/O. For these applications, we observe average speedups ranging between 0.99% and 53.6% for the tests that execute refactored code (8.1% on average)
Underapproximation of Procedure Summaries for Integer Programs
We show how to underapproximate the procedure summaries of recursive programs
over the integers using off-the-shelf analyzers for non-recursive programs. The
novelty of our approach is that the non-recursive program we compute may
capture unboundedly many behaviors of the original recursive program for which
stack usage cannot be bounded. Moreover, we identify a class of recursive
programs on which our method terminates and returns the precise summary
relations without underapproximation. Doing so, we generalize a similar result
for non-recursive programs to the recursive case. Finally, we present
experimental results of an implementation of our method applied on a number of
examples.Comment: 35 pages, 3 figures (this report supersedes the STTT version which in
turn supersedes the TACAS'13 version
Algorithmic Verification of Asynchronous Programs
Asynchronous programming is a ubiquitous systems programming idiom to manage
concurrent interactions with the environment. In this style, instead of waiting
for time-consuming operations to complete, the programmer makes a non-blocking
call to the operation and posts a callback task to a task buffer that is
executed later when the time-consuming operation completes. A co-operative
scheduler mediates the interaction by picking and executing callback tasks from
the task buffer to completion (and these callbacks can post further callbacks
to be executed later). Writing correct asynchronous programs is hard because
the use of callbacks, while efficient, obscures program control flow.
We provide a formal model underlying asynchronous programs and study
verification problems for this model. We show that the safety verification
problem for finite-data asynchronous programs is expspace-complete. We show
that liveness verification for finite-data asynchronous programs is decidable
and polynomial-time equivalent to Petri Net reachability. Decidability is not
obvious, since even if the data is finite-state, asynchronous programs
constitute infinite-state transition systems: both the program stack and the
task buffer of pending asynchronous calls can be potentially unbounded.
Our main technical construction is a polynomial-time semantics-preserving
reduction from asynchronous programs to Petri Nets and conversely. The
reduction allows the use of algorithmic techniques on Petri Nets to the
verification of asynchronous programs.
We also study several extensions to the basic models of asynchronous programs
that are inspired by additional capabilities provided by implementations of
asynchronous libraries, and classify the decidability and undecidability of
verification questions on these extensions.Comment: 46 pages, 9 figure
- …