Context-Free Path Querying by Matrix Multiplication

Graph data models are widely used in many areas, for example, bioinformatics, graph databases. In these areas, it is often required to process queries for large graphs. Some of the most common graph queries are navigational queries. The result of query evaluation is a set of implicit relations between nodes of the graph, i.e. paths in the graph. A natural way to specify these relations is by specifying paths using formal grammars over the alphabet of edge labels. An answer to a context-free path query in this approach is usually a set of triples (A, m, n) such that there is a path from the node m to the node n, whose labeling is derived from a non-terminal A of the given context-free grammar. This type of queries is evaluated using the relational query semantics. Another example of path query semantics is the single-path query semantics which requires presenting a single path from the node m to the node n, whose labeling is derived from a non-terminal A for all triples (A, m, n) evaluated using the relational query semantics. There is a number of algorithms for query evaluation which use these semantics but all of them perform poorly on large graphs. One of the most common technique for efficient big data processing is the use of a graphics processing unit (GPU) to perform computations, but these algorithms do not allow to use this technique efficiently. In this paper, we show how the context-free path query evaluation using these query semantics can be reduced to the calculation of the matrix transitive closure. Also, we propose an algorithm for context-free path query evaluation which uses relational query semantics and is based on matrix operations that make it possible to speed up computations by using a GPU.Comment: 9 pages, 11 figures, 2 table

Active Learning of Points-To Specifications

When analyzing programs, large libraries pose significant challenges to static points-to analysis. A popular solution is to have a human analyst provide points-to specifications that summarize relevant behaviors of library code, which can substantially improve precision and handle missing code such as native code. We propose ATLAS, a tool that automatically infers points-to specifications. ATLAS synthesizes unit tests that exercise the library code, and then infers points-to specifications based on observations from these executions. ATLAS automatically infers specifications for the Java standard library, and produces better results for a client static information flow analysis on a benchmark of 46 Android apps compared to using existing handwritten specifications

콜-리턴 짝이 맞는 경로에 대한 사용자 상호작용을 통해 정보흐름 분석 경보를 분류하는 방법

학위논문 (석사)-- 서울대학교 대학원 : 컴퓨터공학부, 2017. 2. 이광근.본 논문은 정보 흐름 분석기의 경보 분류 문제를 해결하기 위해 사용자상호작용을 통한 효율적인 경보 분류 방법을 제안한다. 이 방법은 사용자제약식을 만족하는 콜-리턴 짝이 맞는 최단 함수 호출 경로를 안전하고효율적으로 찾음으로써 사용자의 경보 분류를 돕는다. 우리는 이 방법의실용성을 보이기 위하여 경보 분류 시스템 SHOVEL을 디자인 및구현하였다. 구현된 경보 분류기 SHOVEL과 정적 분석기 SPARROW를 통해총 44개의 오픈소스 C 프로그램으로부터 360개의 경보를 분류하였다. 이과정에서 경보의 진위여부를 평균 2.93회의 적은 수의 사용자상호작용으로 판단할 수 있었다. 또한, 경보 분류를 통해 48개의 버그를발견하였고 그중 3개의 버그에 대해 CVE번호를 부여받았다.제 1 장 서론 1 1.1 동기 1 1.2 해결책 1 1.3 사용자 상호작용 2 1.3.1 사용자 상호작용 예제 3 1.4 결과 6 1.5 논문의 구성 7 제 2 장 콜-리턴 짝이 맞는 함수 호출 경로 표현 8 2.1 함수 호출 경로 8 2.2 콜-리턴 짝이 맞는 경로 정의 8 2.3 콜-리턴 짝이 맞는 경로의 효율적인 표현 10 제 3 장 콜-리턴 짝이 맞는 함수 호출 경로 탐색 12 3.1 알고리즘 12 3.2 콜-리턴 짝이 맞는 경로의 부울식 인코딩 13 3.2.1 부울식 인코딩 함수 Φ 14 3.2.2 Φ 적용 16 제 4 장 실험 결과 22 4.1 실험 환경 22 4.2 평가 23 4.3 발견된 실제 취약점 26 제 5 장 연구의 한계 및 보완 사항 29 5.1 연구의 한계 29 5.2 보완 사항 29 제 6 장 관련 연구 31 제 7 장 결론 33 제 A 장 부록 34 참고문헌 39 Abstract 44Maste

Lifestate: Event-Driven Protocols and Callback Control Flow

Developing interactive applications (apps) against event-driven software frameworks such as Android is notoriously difficult. To create apps that behave as expected, developers must follow complex and often implicit asynchronous programming protocols. Such protocols intertwine the proper registering of callbacks to receive control from the framework with appropriate application-programming interface (API) calls that in turn affect the set of possible future callbacks. An app violates the protocol when, for example, it calls a particular API method in a state of the framework where such a call is invalid. What makes automated reasoning hard in this domain is largely what makes programming apps against such frameworks hard: the specification of the protocol is unclear, and the control flow is complex, asynchronous, and higher-order. In this paper, we tackle the problem of specifying and modeling event-driven application-programming protocols. In particular, we formalize a core meta-model that captures the dialogue between event-driven frameworks and application callbacks. Based on this meta-model, we define a language called lifestate that permits precise and formal descriptions of application-programming protocols and the callback control flow imposed by the event-driven framework. Lifestate unifies modeling what app callbacks can expect of the framework with specifying rules the app must respect when calling into the framework. In this way, we effectively combine lifecycle constraints and typestate rules. To evaluate the effectiveness of lifestate modeling, we provide a dynamic verification algorithm that takes as input a trace of execution of an app and a lifestate protocol specification to either produce a trace witnessing a protocol violation or a proof that no such trace is realizable

On the Practice and Application of Context-Free Language Reachability

The Context-Free Language Reachability (CFL-R) formalism relates to some of the most important computational problems facing researchers and industry practitioners. CFL-R is a generalisation of graph reachability and language recognition, such that pairs in a labelled graph are reachable if and only if there is a path between them whose labels, joined together in the order they were encountered, spell a word in a given context-free language. The formalism finds particular use as a vehicle for phrasing and reasoning about program analysis, since complex relationships within the data, logic or structure of computer programs are easily expressed and discovered in CFL-R. Unfortunately, The potential of CFL-R can not be met by state of the art solvers. Current algorithms have scalability and expressibility issues that prevent them from being used on large graph instances or complex grammars. This work outlines our efforts in understanding the practical concerns surrounding CFL-R, and applying this knowledge to improve the performance of CFL-R applications. We examine the major difficulties with solving CFL-R-based analyses at-scale, via a case-study of points-to analysis as a CFL-R problem. Points-to analysis is fundamentally important to many modern research and industry efforts, and is relevant to optimisation, bug-checking and security technologies. Our understanding of the scalability challenge motivates work in developing practical CFL-R techniques. We present improved evaluation algorithms and declarative optimisation techniques for CFL-R, capitalising on the simplicity of CFL-R to creating fully automatic methodologies. The culmination of our work is a general-purpose and high-performance tool called Cauliflower, a solver-generator for CFL-R problems. We describe Cauliflower and evaluate its performance experimentally, showing significant improvement over alternative general techniques

Specification Inference Using Context-Free Language Reachability

We present a framework for computing context-free language reachability properties when parts of the program are missing. Our framework infers candidate specifications for missing pro-gram pieces that are needed for verifying a property of interest, and presents these specifications to a human auditor for validation. We have implemented this framework for a taint analysis of Android apps that relies on specifications for Android library methods. In an extensive experimental study on 179 apps, our tool performs veri-fication with only a small number of queries to a human auditor