97 research outputs found
Enforcing Termination of Interprocedural Analysis
Interprocedural analysis by means of partial tabulation of summary functions
may not terminate when the same procedure is analyzed for infinitely many
abstract calling contexts or when the abstract domain has infinite strictly
ascending chains. As a remedy, we present a novel local solver for general
abstract equation systems, be they monotonic or not, and prove that this solver
fails to terminate only when infinitely many variables are encountered. We
clarify in which sense the computed results are sound. Moreover, we show that
interprocedural analysis performed by this novel local solver, is guaranteed to
terminate for all non-recursive programs --- irrespective of whether the
complete lattice is infinite or has infinite strictly ascending or descending
chains
Using global analysis, partial specifications, and an extensible assertion language for program validation and debugging
We discuss a framework for the application of abstract interpretation as an aid during program development, rather than in the more traditional application of program optimization. Program validation and detection of errors is first performed statically by comparing (partial) specifications written in terms of assertions against information obtained from (global) static analysis of the program. The results of this process are expressed in the user assertion language. Assertions (or parts of assertions) which cannot be checked statically are translated into run-time tests. The framework allows the use of assertions to be optional. It also allows using very general properties in assertions, beyond the predefined set understandable by the static analyzer and including properties defined by user programs. We also report briefly on an implementation of the framework. The resulting tool generates and checks assertions for Prolog, CLP(R), and CHIP/CLP(fd) programs, and integrates compile-time and run-time checking in a uniform way. The tool allows using properties such as types, modes, non-failure, determinacy,
and computational cost, and can treat modules separately, performing incremental analysis
Secrecy capacity of a class of orthogonal relay eavesdropper channels
The secrecy capacity of relay channels with orthogonal components is studied
in the presence of an additional passive eavesdropper node. The relay and
destination receive signals from the source on two orthogonal channels such
that the destination also receives transmissions from the relay on its channel.
The eavesdropper can overhear either one or both of the orthogonal channels.
Inner and outer bounds on the secrecy capacity are developed for both the
discrete memoryless and the Gaussian channel models. For the discrete
memoryless case, the secrecy capacity is shown to be achieved by a partial
decode-and-forward (PDF) scheme when the eavesdropper can overhear only one of
the two orthogonal channels. Two new outer bounds are presented for the
Gaussian model using recent capacity results for a Gaussian multi-antenna
point-to-point channel with a multi-antenna eavesdropper. The outer bounds are
shown to be tight for two sub-classes of channels. The first sub-class is one
in which the source and relay are clustered and the and the eavesdropper
receives signals only on the channel from the source and the relay to the
destination, for which the PDF strategy is optimal. The second is a sub-class
in which the source does not transmit to the relay, for which a
noise-forwarding strategy is optimal.Comment: Submitted to Eurasip Journal on Wireless Communications and
Networking special issue on Wireless physical layer security, Dec. 2008,
Revised Jun. 200
Certified compilation for cryptography: Extended x86 instructions and constant-time verification
We present a new tool for the generation and verification of high-assurance high-speed machine-level cryptography implementations: a certified C compiler supporting instruction extensions to the x86. We demonstrate the practical applicability of our tool by incorporating it into supercop: a toolkit for measuring the performance of cryptographic software, which includes over 2000 different implementations. We show i. that the coverage of x86 implementations in supercop increases significantly due to the added support of instruction extensions via intrinsics and ii. that the obtained verifiably correct implementations are much closer in performance to unverified ones. We extend our compiler with a specialized type system that acts at pre-assembly level; this is the first constant-time verifier that can deal with extended instruction sets. We confirm that, by using instruction extensions, the performance penalty for verifiably constant-time code can be greatly reduced.This work is financed by National Funds through the FCT - Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within the project PTDC/CCI-INF/31698/2017, and by the Norte Portugal Regional Operational Programme (NORTE 2020) under the Portugal 2020 Partnership Agreement, through the European Regional Development Fund (ERDF) and also by national funds through the FCT, within project NORTE-01-0145-FEDER-028550 (REASSURE)
Improving static analyses of C programs with conditional predicates
Best paper awardInternational audienceStatic code analysis is increasingly used to guarantee the absence of undesirable behaviors in industrial programs. Designing sound analyses is a continuing trade-off between precision and complexity. Notably, dataflow analyses often perform overly wide approximations when two control-flow paths meet, by merging states from each path. This paper presents a generic abstract interpretation based framework to enhance the precision of such analyses on join points. It relies on predicated domains, that preserve and reuse information valid only inside some branches of the code. Our predicates are derived from conditionals statements, and postpone the loss of information. The work has been integrated into Frama-C, a C source code analysis platform. Experiments on real code show that our approach scales, and improves significantly the precision of the existing analyses of Frama-C
Multivariant Assertion-based Guidance in Abstract Interpretation
Approximations during program analysis are a necessary evil, as they ensure
essential properties, such as soundness and termination of the analysis, but
they also imply not always producing useful results. Automatic techniques have
been studied to prevent precision loss, typically at the expense of larger
resource consumption. In both cases (i.e., when analysis produces inaccurate
results and when resource consumption is too high), it is necessary to have
some means for users to provide information to guide analysis and thus improve
precision and/or performance. We present techniques for supporting within an
abstract interpretation framework a rich set of assertions that can deal with
multivariance/context-sensitivity, and can handle different run-time semantics
for those assertions that cannot be discharged at compile time. We show how the
proposed approach can be applied to both improving precision and accelerating
analysis. We also provide some formal results on the effects of such assertions
on the analysis results.Comment: Pre-proceedings paper presented at the 28th International Symposium
on Logic-Based Program Synthesis and Transformation (LOPSTR 2018), Frankfurt
am Main, Germany, 4-6 September 2018 (arXiv:1808.03326
Subsumer-First: Steering Symbolic Reachability Analysis
Abstract. Symbolic reachability analysis provides a basis for the veri-fication of software systems by offering algorithmic support for the ex-ploration of the program state space when searching for proofs or coun-terexamples. The choice of exploration strategy employed by the anal-ysis has direct impact on its success, whereas the ability to find short counterexamples quickly and—as a complementary task—to efficiently perform the exhaustive state space traversal are of utmost importance for the majority of verification efforts. Existing exploration strategies can optimize only one of these objectives which leads to a sub-optimal reach-ability analysis, e.g., breadth-first search may sacrifice the exploration ef-ficiency and chaotic iteration can miss minimal counterexamples. In this paper we present subsumer-first, a new approach for steering symbolic reachability analysis that targets both minimal counterexample discovery and efficiency of exhaustive exploration. Our approach leverages the re-sult of fixpoint checks performed during symbolic reachability analysis to bias the exploration strategy towards its objectives, and does not require any additional computation. We demonstrate how the subsumer-first ap-proach can be applied to improve efficiency of software verification tools based on predicate abstraction. Our experimental evaluation indicates the practical usefulness of the approach: we observe significant efficiency improvements (median value 40%) on difficult verification benchmarks from the transportation domain.
Sharing Ghost Variables in a Collection of Abstract Domains
International audienceWe propose a framework in which we share ghost variables across a collection of abstract domains allowing precise proofs of complex properties. In abstract interpretation, it is often necessary to be able to express complex properties while doing a precise analysis. A way to achieve that is to combine a collection of domains, each handling some kind of properties, using a reduced product. Separating domains allows an easier and more modular implementation, and eases soundness and termination proofs. This way, we can add a domain for any kind of property that is interesting. The reduced product, or an approximation of it, is in charge of refining abstract states, making the analysis precise. In program verification, ghost variables can be used to ease proofs of properties by storing intermediate values that do not appear directly in the execution. We propose a reduced product of abstract domains that allows domains to use ghost variables to ease the representation of their internal state. Domains must be totally agnostic with respect to other existing domains. In particular the handling of ghost variables must be entirely decentralized while still ensuring soundness and termination of the analysis
- …