98 research outputs found
Soundly Handling Static Fields: Issues, Semantics and Analysis
Although in most cases class initialization works as expected, some static
fields may be read before being initialized, despite being initialized in their
corresponding class initializer. We propose an analysis which compute, for each
program point, the set of static fields that must have been initialized and
discuss its soundness. We show that such an analysis can be directly applied to
identify the static fields that may be read before being initialized and to
improve the precision while preserving the soundness of a null-pointer
analysis.Comment: Proceedings of the Fourth Workshop on Bytecode Semantics,
Verification, Analysis and Transformation (BYTECODE 2009
Towards a Certified Lightweight Array Bound Checker for Java Bytecode
Dynamic array bound checks are crucial elements for the security of a Java Virtual Machines. These dynamic checks are however expensive and several static analysis techniques have been proposed to eliminate explicit bounds checks. Such analyses require advanced numerical and symbolic manipulations that 1) penalize bytecode loading or dynamic compilation, 2) complexify the trusted computing base. Following the Foundational Proof Carrying Code methodology, our goal is to provide a lightweight bytecode verifier for eliminating array bound checks that is both efficient and trustable. In this work, we define a generic relational program analysis for an imperative, stackoriented byte code language with procedures, arrays and global variables and instantiate it with a relational abstract domain as polyhedra. The analysis has automatic inference of loop invariants and method pre-/post-conditions, and efficient checking of analysis results by a simple checker. Invariants, which can be large, can be specialized for proving a safety policy using an automatic pruning technique which reduces their size. The result of the analysis can be checked efficiently by annotating the program with parts of the invariant together with certificates of polyhedral inclusions. The resulting checker is sufficiently simple to be entirely certified within the Coq proof assistant for a simple fragment of the Java bytecode language. During the talk, we will also report on our ongoing effort to scale this approach for the full sequential JVM
Enforcing Secure Object Initialization in Java
Sun and the CERT recommend for secure Java development to not allow partially
initialized objects to be accessed. The CERT considers the severity of the
risks taken by not following this recommendation as high. The solution
currently used to enforce object initialization is to implement a coding
pattern proposed by Sun, which is not formally checked. We propose a modular
type system to formally specify the initialization policy of libraries or
programs and a type checker to statically check at load time that all loaded
classes respect the policy. This allows to prove the absence of bugs which have
allowed some famous privilege escalations in Java. Our experimental results
show that our safe default policy allows to prove 91% of classes of java.lang,
java.security and javax.security safe without any annotation and by adding 57
simple annotations we proved all classes but four safe. The type system and its
soundness theorem have been formalized and machine checked using Coq
Preface
Prefac
A Formally Verified WCET Estimation Tool
The application of formal methods in the development of safety-critical embedded software is recommended in order to provide strong guarantees about the absence of software errors. In this context, WCET estimation tools constitute an important element to be formally verified. We present a formally verified WCET estimation tool, integrated to the formally verified CompCert C compiler. Our tool comes with a machine-checked proof which ensures that its WCET estimates are safe. Our tool operates over C programs and is composed of two main parts, a loop bound estimation and an Implicit Path Enumeration Technique (IPET)-based WCET calculation method. We evaluated the precision of the WCET estimates on a reference benchmark and obtained results which are competitive with state-of-the-art WCET estimation techniques
Formal Verification of an SSA-based Middle-end for CompCert
CompCert is a formally verified compiler that generates compact and efficient PowerPC, ARM and x86 code for a large and realistic subset of the C language. However, CompCert foregoes using Static Single Assignment (SSA), an intermediate representation that allows for writing simpler and faster optimizers, and that is used by many compilers. In fact, it has remained an open problem to verify formally an SSA-based compiler middle-end. We report on a formally verified, SSA-based, middle-end for CompCert. Our middle-end performs conversion from CompCert intermediate form to SSA form, optimization of SSA programs, including Global Value Numbering, and transforming out of SSA to intermediate form. In addition to provide the first formally verified SSA-based middle-end, we address two problems raised by Leroy in 2009: giving a simple and intuitive formal semantics to SSA, and leveraging the global properties of SSA to reason locally about program optimizations
Building certified static analysers by modular construction of well-founded lattices
International audienceThis paper presents fixpoint calculations on lattice structures as example of highly modular programming in a dependently typed functional language. We propose a library of Coq module functors for constructing complex lattices using efficient data structures. The lattice signature contains a well-foundedness proof obligation which ensures termination of generic fixpoint iteration algorithms. With this library, complex well-foundedness proofs can hence be constructed in a functorial fashion. This paper contains two distinct contributions. We first demonstrate the ability of the recent Coq module system in manipulating alge- braic structures and extracting efficient Ocaml implementations from them. The second contribution is a generic result, based on the constructive notion of accessibility predicate, about preservation of accessibility properties when combining relations
A Certified Denotational Abstract Interpreter
International audienceAbstract Interpretation proposes advanced techniques for static analysis of programs that raise specific challenges for machine-checked soundness proofs. Most classical dataflow analysis techniques iterate operators on lattices without infinite ascending chains. In contrast, abstract interpreters are looking for fixpoints in infinite lattices where widening and narrowing are used for accelerating the convergence. Smart iteration strategies are crucial when using such accelerating operators because they directly impact the precision of the analysis diagnostic. In this paper, we show how we manage to program and prove correct in Coq an abstract interpreter that uses iteration strategies based on program syntax. A key component of the formalization is the introduction of an intermediate semantics based on a generic least-fixpoint operator on complete lattices and allows us to decompose the soundness proof in an elegant manner
Leveraging Static Analysis for Bug Repair
We propose a method combining machine learning with a static analysis tool
(i.e. Infer) to automatically repair source code. Machine Learning methods
perform well for producing idiomatic source code. However, their output is
sometimes difficult to trust as language models can output incorrect code with
high confidence. Static analysis tools are trustable, but also less flexible
and produce non-idiomatic code. In this paper, we propose to fix resource leak
bugs in IR space, and to use a sequence-to-sequence model to propose fix in
source code space. We also study several decoding strategies, and use Infer to
filter the output of the model. On a dataset of CodeNet submissions with
potential resource leak bugs, our method is able to find a function with the
same semantics that does not raise a warning with around 97% precision and 66%
recall.Comment: 13 pages. DL4C 202
Defining and Reasoning About General Recursive Functions in Type Theory: a Practical Method
We propose a practical method for defining and proving properties of general (i.e., not necessarily structural) recursive functions in proof assistants based on type theory. The idea is to define the graph of the intended function as an inductive relation, and to prove that the relation actually represents a function, which is by construction the function that we are trying to define. Then, we generate induction principles for proving other arbitrary properties of the function. The approach has been experimented in the Coq proof assistant, but should work in like-minded proof asistants as well. It allows for functions with mutual recursive calls, nested recursive calls, and works also for the standard encoding of partial functions using total functions over a dependent type that restricts the original function's domain. We present simple examples and report on a larger case study (sets of integers represented as ordered lists of intervals) that we have conducted in the context of certified static analyses. \\ Nous proposons une approche pratique pour définir et prouver des propriétés de fonctions récursives générales (i.e., non nécessairement structurelles) dans des assistants de preuve basés sur la théorie des types. L'idée principale est de définir le graphe de la fonction en cours de définition comme une relation inductive, et de prouver que cette relation représente une fonction qui est, par construction, celle qu'on essaie de définir. Ensuite, nous définissons des principes d'induction qui permettent de prouver des propriétés quelconques sur la fonction. Nous avons expérimenté l'approche dans l'assistant de preuve Coq. Cependant, elle devrait fonctionner dans d'autres systèmes basés sur la théorie des types. L'approche permet de traiter des appels mutuellement récursifs et/ou imbriqués, ainsi que des fonctions partielles via le codage standard par des fonctions totales au type dépendant qui restreint le domaine de définition. Nous présentons des exemples simples ainsi qu'une étude de cas plus complexes (le codage d'ensembles d'entiers par des listes d'intervalles) que nous avons menée dans le contexte du développement d'analyses statiques certifiées
- …