Abstract Program Slicing: an Abstract Interpretation-based approach to Program Slicing

In the present paper we formally define the notion of abstract program slicing, a general form of program slicing where properties of data are considered instead of their exact value. This approach is applied to a language with numeric and reference values, and relies on the notion of abstract dependencies between program components (statements). The different forms of (backward) abstract slicing are added to an existing formal framework where traditional, non-abstract forms of slicing could be compared. The extended framework allows us to appreciate that abstract slicing is a generalization of traditional slicing, since traditional slicing (dealing with syntactic dependencies) is generalized by (semantic) non-abstract forms of slicing, which are actually equivalent to an abstract form where the identity abstraction is performed on data. Sound algorithms for computing abstract dependencies and a systematic characterization of program slices are provided, which rely on the notion of agreement between program states

Abstract interpretation-based approaches to Security - A Survey on Abstract Non-Interference and its Challenging Applications.

In this paper we provide a survey on the framework of abstract non-interference. In particular, we describe a general formalization of abstract non-interference by means of three dimensions (observation, protection and semantics) that can be instantiated in order to obtain well known or even new weakened non-interference properties. Then, we show that the notions of abstract non-interference introduced in language-based security are instances of this more general framework which allows to better understand the different components of a non-interference policy. Finally, we consider two challenging research fields concerning security where abstract non-interference seems a promising approach providing new perspectives and new solutions to open problems: Code injection and code obfuscation

Static Program Analysis for String Manipulation Languages

In recent years, dynamic languages, such as JavaScript or Python, have been increasingly used in a wide range of fields and applications. Their tricky and misunderstood behaviors pose a hard challenge for static analysis of these programming languages. A key aspect of any dynamic language program is the multiple usage of strings, since they can be implicitly converted to another type value, transformed by string-to-code primitives or used to access an object-property. Unfortunately, string analyses for dynamic languages still lack precision and do not take into account some important string features. Moreover, string obfuscation is very popular in the context of dynamic language malicious code, for example, to hide code information inside strings and then to dynamically transform strings into executable code. In this scenario, more precise string analyses become a necessity. This paper is placed in the context of static string analysis by abstract interpretation and proposes a new semantics for string analysis, placing a first step for handling dynamic languages string features.Comment: In Proceedings VPT 2019, arXiv:1908.0672

Analyzing Dynamic Code: A Sound Abstract Interpreter for evil eval

Dynamic languages, such as JavaScript, employ string-to-code primitives to turn dynamically generated text into executable code at run-time. These features make standard static analysis extremely hard if not impossible because its essential data structures, i.e., the control-flow graph and the system of recursive equations associated with the program to analyze, are themselves dynamically mutating objects. Nevertheless, assembling code at run-time by manipulating strings, such as by eval in JavaScript, has been always strongly discouraged since it is often recognized that \u201ceval is evil", leading static analyzers to not consider such statements or ignoring their effects. Unfortunately, the lack of formal approaches to analyze string-to-code statements pose a perfect habitat for malicious code, that is surely evil and do not respect good practice rules, allowing them to hide malicious intents as strings to be converted to code and making static analyses blind to the real malicious aim of the code. Hence, the need to handle string-to-code statements approximating what they can execute, and therefore allowing the analysis to continue (even in presence of dynamically generated program statements) with an acceptable degree of precision, should be clear. In order to reach this goal, we propose a static analysis allowing us to collect string values and to soundly over-approximate and analyze the code potentially executed by a string-to-code statement

Transforming semantics by abstract interpretation

In 1997, Cousot introduced a hierarchy where semantics are related with each other by abstract interpretation. In this field we consider the standard abstract domain transformers, devoted to refine abstract domains in order to include attribute independent and relational information, respectively the reduced product and power of abstract domains, as domain operations to systematically design and compare semantics of programming languages by abstract interpretation. We first prove that natural semantics can be decomposed in terms of complementary attribute independent observables, leading to an algebraic characterization of the symmetric structure of the hierarchy. Moreover, we characterize some structural property of semantics, such as their compositionality, in terms of simple abstract domain equations. This provides an equational presentation of most well known semantics, which is parametric on the observable and structural property of the semantics, making it possible to systematically derive abstract semantics, e.g. for program analysis, as solutions of abstract domain equations

Infections as Abstract Symbolic Finite Automata: Formal Model and Applications.

In this paper, we propose a methodology, based on machine learning, for building a symbolic finite state automata based model of infected systems, that expresses the interaction between the malware and the environment by combining in the same model the code and the semantics of a system and allowing to tune both the system and the malware code observation. Moreover, we show that this methodology may have several applications in the context of malware detection

Static Analysis for ECMAScript String Manipulation Programs

In recent years, dynamic languages, such as JavaScript or Python, have been increasingly used in a wide range of fields and applications. Their tricky and misunderstood behaviors pose a great challenge for static analysis of these languages. A key aspect of any dynamic language program is the multiple usage of strings, since they can be implicitly converted to another type value, transformed by string-to-code primitives or used to access an object-property. Unfortunately, string analyses for dynamic languages still lack precision and do not take into account some important string features. In this scenario, more precise string analyses become a necessity. The goal of this paper is to place a first step for precisely handling dynamic language string features. In particular, we propose a new abstract domain approximating strings as finite state automata and an abstract interpretation-based static analysis for the most common string manipulating operations provided by the ECMAScript specification. The proposed analysis comes with a prototype static analyzer implementation for an imperative string manipulating language, allowing us to show and evaluate the improved precision of the proposed analysis

How Fitting is Your Abstract Domain?

Abstract interpretation offers sound and decidable approxi- mations for undecidable queries related to program behavior. The effec- tiveness of an abstract domain is entirely reliant on the abstract domain itself, and the worst-case scenario is when the abstract interpreter pro- vides a response of “don’t know”, indicating that anything could happen during runtime. Conversely, a desirable outcome is when the abstract in- terpreter provides information that exceeds a specified level of precision, resulting in a more precise answer. The concept of completeness relates to the level of precision that is forfeited when performing computations within the abstract domain. Our focus is on the domain’s ability to ex- press program behaviour, which we refer to as adequacy. In this paper, we present a domain refinement strategy towards adequacy and a sim- ple sound proof system for adequacy, designed to determine whether an abstract domain is capable of providing satisfactory responses to spec- ified program queries. Notably, this proof system is both language and domain agnostic, and can be readily incorporated to support static pro- gram analysis

Analyzing program dependences for malware detection.

Metamorphic malware continuously modify their code, while preserving their functionality, in order to foil misuse detection. The key for defeating metamorphism relies in a semantic characterization of the embedding of the malware into the target program. Indeed, a behavioral model of program infection that does not relay on syntactic program features should be able to defeat metamorphism. Moreover, a general model of infection should be able to express dependences and interactions between the malicious codeand the target program. ANI is a general theory for the analysis of dependences of data in a program. We propose an high order theory for ANI, later called HOANI, that allows to study program dependencies. Our idea is then to formalize and study the malware detection problem in terms of HOANI

A proof system for Abstract Non-Interference

In this paper, we provide an inductive proof system for a notion of abstractnon-interference which fits in every field of computer science wherewe are interested in observing how different programs data interfere witheach other. The idea is to abstract from language-based security and considergenerically data as distinguished between internal (that has to beprotected by the program) and observable. In this more general contextwe derive a proof system which allows us to characterise abstract noninterferenceproperties inductively on the syntactic structure of programs.We finally show how this framework can be instantiated to language-basedsecurity