804 research outputs found
Static Analysis of Run-Time Errors in Embedded Real-Time Parallel C Programs
We present a static analysis by Abstract Interpretation to check for run-time
errors in parallel and multi-threaded C programs. Following our work on
Astr\'ee, we focus on embedded critical programs without recursion nor dynamic
memory allocation, but extend the analysis to a static set of threads
communicating implicitly through a shared memory and explicitly using a finite
set of mutual exclusion locks, and scheduled according to a real-time
scheduling policy and fixed priorities. Our method is thread-modular. It is
based on a slightly modified non-parallel analysis that, when analyzing a
thread, applies and enriches an abstract set of thread interferences. An
iterator then re-analyzes each thread in turn until interferences stabilize. We
prove the soundness of our method with respect to the sequential consistency
semantics, but also with respect to a reasonable weakly consistent memory
semantics. We also show how to take into account mutual exclusion and thread
priorities through a partitioning over an abstraction of the scheduler state.
We present preliminary experimental results analyzing an industrial program
with our prototype, Th\'es\'ee, and demonstrate the scalability of our
approach
Abstract Interpretation of Supermodular Games
Supermodular games find significant applications in a variety of models,
especially in operations research and economic applications of noncooperative
game theory, and feature pure strategy Nash equilibria characterized as fixed
points of multivalued functions on complete lattices. Pure strategy Nash
equilibria of supermodular games are here approximated by resorting to the
theory of abstract interpretation, a well established and known framework used
for designing static analyses of programming languages. This is obtained by
extending the theory of abstract interpretation in order to handle
approximations of multivalued functions and by providing some methods for
abstracting supermodular games, in order to obtain approximate Nash equilibria
which are shown to be correct within the abstract interpretation framework
Enforcing Termination of Interprocedural Analysis
Interprocedural analysis by means of partial tabulation of summary functions
may not terminate when the same procedure is analyzed for infinitely many
abstract calling contexts or when the abstract domain has infinite strictly
ascending chains. As a remedy, we present a novel local solver for general
abstract equation systems, be they monotonic or not, and prove that this solver
fails to terminate only when infinitely many variables are encountered. We
clarify in which sense the computed results are sound. Moreover, we show that
interprocedural analysis performed by this novel local solver, is guaranteed to
terminate for all non-recursive programs --- irrespective of whether the
complete lattice is infinite or has infinite strictly ascending or descending
chains
The PER model of abstract non-interference
Abstract. In this paper, we study the relationship between two models of secure information flow: the PER model (which uses equivalence relations) and the abstract non-interference model (which uses upper closure operators). We embed the lattice of equivalence relations into the lattice of closures, re-interpreting abstract non-interference over the lattice of equivalence relations. For narrow abstract non-interference, we show non-interference it is strictly less general. The relational presentation of abstract non-interference leads to a simplified construction of the most concrete harmless attacker. Moreover, the PER model of abstract noninterference allows us to derive unconstrained attacker models, which do not necessarily either observe all public information or ignore all private information. Finally, we show how abstract domain completeness can be used for enforcing the PER model of abstract non-interference
A Static Analyzer for Large Safety-Critical Software
We show that abstract interpretation-based static program analysis can be
made efficient and precise enough to formally verify a class of properties for
a family of large programs with few or no false alarms. This is achieved by
refinement of a general purpose static analyzer and later adaptation to
particular programs of the family by the end-user through parametrization. This
is applied to the proof of soundness of data manipulation operations at the
machine level for periodic synchronous safety critical embedded software. The
main novelties are the design principle of static analyzers by refinement and
adaptation through parametrization, the symbolic manipulation of expressions to
improve the precision of abstract transfer functions, the octagon, ellipsoid,
and decision tree abstract domains, all with sound handling of rounding errors
in floating point computations, widening strategies (with thresholds, delayed)
and the automatic determination of the parameters (parametrized packing)
Analyzing program analyses
We want to prove that a static analysis of a given program is complete, namely, no imprecision arises when asking some query on the program behavior in the concrete (i.e., for its concrete semantics) or in the abstract (i.e., for its abstract interpretation). Completeness proofs are therefore useful to assign confidence to alarms raised by static analyses. We introduce the completeness class of an abstraction as the set of all programs for which the abstraction is complete. Our first result shows that for any nontrivial abstraction, its completeness class is not recursively enumerable. We then introduce a stratified deductive system a2A to prove the completeness of program analyses over an abstract domain A. We prove the soundness of the deductive system. We observe that the only sources of incompleteness are assignments and Boolean tests \u2014 unlikely a common belief in static analysis, joins do not induce incompleteness. The first layer of this proof system is generic, abstraction-agnostic, and it deals with the standard constructs for program composition, that is, sequential composition, branching and guarded iteration. The second layer is instead abstraction-specific: the designer of an abstract domain A provides conditions for completeness in A of assignments and Boolean tests which have to be checked by a suitable static analysis or assumed in the completeness proof as hypotheses. We instantiate the second layer of this proof system first with a generic nonrelational abstraction in order to provide a sound rule for the completeness of assignments. Orthogonally, we instantiate it to the numerical abstract domains of Intervals and Octagons, providing necessary and sufficient conditions for the completeness of their Boolean tests and of assignments for Octagons
A Logical Product Approach to Zonotope Intersection
We define and study a new abstract domain which is a fine-grained combination
of zonotopes with polyhedric domains such as the interval, octagon, linear
templates or polyhedron domain. While abstract transfer functions are still
rather inexpensive and accurate even for interpreting non-linear computations,
we are able to also interpret tests (i.e. intersections) efficiently. This
fixes a known drawback of zonotopic methods, as used for reachability analysis
for hybrid sys- tems as well as for invariant generation in abstract
interpretation: intersection of zonotopes are not always zonotopes, and there
is not even a best zonotopic over-approximation of the intersection. We
describe some examples and an im- plementation of our method in the APRON
library, and discuss some further in- teresting combinations of zonotopes with
non-linear or non-convex domains such as quadratic templates and maxplus
polyhedra
A Scalable Segmented Decision Tree Abstract Domain
International audienceThe key to precision and scalability in all formal methods for static program analysis and verification is the handling of disjunctions arising in relational analyses, the flow-sensitive traversal of conditionals and loops, the context-sensitive inter-procedural calls, the interleaving of concurrent threads, etc. Explicit case enumeration immediately yields to combinatorial explosion. The art of scalable static analysis is therefore to abstract disjunctions to minimize cost while preserving weak forms of disjunctions for expressivity. Building upon packed binary decision trees to handle disjunction in tests, loops and procedure/function calls and array segmentation to handle disjunctions in array content analysis, we have introduced segmented decision trees to allow for more expressivity while mastering costs via widenings
Secrecy capacity of a class of orthogonal relay eavesdropper channels
The secrecy capacity of relay channels with orthogonal components is studied
in the presence of an additional passive eavesdropper node. The relay and
destination receive signals from the source on two orthogonal channels such
that the destination also receives transmissions from the relay on its channel.
The eavesdropper can overhear either one or both of the orthogonal channels.
Inner and outer bounds on the secrecy capacity are developed for both the
discrete memoryless and the Gaussian channel models. For the discrete
memoryless case, the secrecy capacity is shown to be achieved by a partial
decode-and-forward (PDF) scheme when the eavesdropper can overhear only one of
the two orthogonal channels. Two new outer bounds are presented for the
Gaussian model using recent capacity results for a Gaussian multi-antenna
point-to-point channel with a multi-antenna eavesdropper. The outer bounds are
shown to be tight for two sub-classes of channels. The first sub-class is one
in which the source and relay are clustered and the and the eavesdropper
receives signals only on the channel from the source and the relay to the
destination, for which the PDF strategy is optimal. The second is a sub-class
in which the source does not transmit to the relay, for which a
noise-forwarding strategy is optimal.Comment: Submitted to Eurasip Journal on Wireless Communications and
Networking special issue on Wireless physical layer security, Dec. 2008,
Revised Jun. 200
- …