Regular hedge model checking

We extend the regular model checking framework so that it can handle systems with arbitrary width tree-like structures. Con gurations of a system are represented by trees of arbitrary arities, sets of con gurations are represented by regular hedge automata, and the dynamics of a system is modeled by a regular hedge transducer. We consider the problem of computing the transitive closure T + of a regular hedge transducer T. This construction is not possible in general. Therefore, we present a general acceleration technique for computing T+. Our method consists of enhancing the termination of the iterative computation of the different compositions Ti by merging the states of the hedge transducers according to an appropriate equivalence relation that preserves the traces of the transducers. We provide a methodology for effectively deriving equivalence relations that are appropriate. We have successfully applied our technique to compute transitive closures for some mutual exclusion protocols de ned on arbitrary width tree topologies, as well as for an XML application.4th IFIP International Conference on Theoretical Computer ScienceRed de Universidades con Carreras en Informática (RedUNCI

Mining Malware Specifications through Static Reachability Analysis

International audienceAbstract. The number of malicious software (malware) is growing out of control. Syntactic signature based detection cannot cope with such growth and manual construction of malware signature databases needs to be replaced by computer learning based approaches. Currently, a single modern signature capturing the semantics of a malicious behavior can be used to replace an arbitrarily large number of old-fashioned syntactical signatures. However teaching computers to learn such behaviors is a challenge. Existing work relies on dynamic analysis to extract malicious behaviors, but such technique does not guarantee the coverage of all behaviors. To sidestep this limitation we show how to learn malware signatures using static reachability analysis. The idea is to model binary programs using pushdown systems (that can be used to model the stack operations occurring during the binary code execution), use reachability analysis to extract behaviors in the form of trees, and use subtrees that are common among the trees extracted from a training set of malware files as signatures. To detect malware we propose to use a tree automaton to compactly store malicious behavior trees and check if any of the subtrees extracted from the file under analysis is malicious. Experimental data shows that our approach can be used to learn signatures from a training set of malware files and use them to detect a test set of malware that is 5 times the size of the training set

SPADE: Verification of Multithreaded Dynamic and Recursive Programs

International audienceThe tool SPADE allows to analyse automatically boolean programs with parallelism, communication between parallel processes, dynamic process creation, and recursion at the same time. As far as we know, this is the first software model checking tool based on an expressive model that accurately models all these aspects in programs

Regular hedge model checking

We extend the regular model checking framework so that it can handle systems with arbitrary width tree-like structures. Con gurations of a system are represented by trees of arbitrary arities, sets of con gurations are represented by regular hedge automata, and the dynamics of a system is modeled by a regular hedge transducer. We consider the problem of computing the transitive closure T + of a regular hedge transducer T. This construction is not possible in general. Therefore, we present a general acceleration technique for computing T+. Our method consists of enhancing the termination of the iterative computation of the different compositions Ti by merging the states of the hedge transducers according to an appropriate equivalence relation that preserves the traces of the transducers. We provide a methodology for effectively deriving equivalence relations that are appropriate. We have successfully applied our technique to compute transitive closures for some mutual exclusion protocols de ned on arbitrary width tree topologies, as well as for an XML application.4th IFIP International Conference on Theoretical Computer ScienceRed de Universidades con Carreras en Informática (RedUNCI

LNCS

Systems ought to behave reasonably even in circumstances that are not anticipated in their specifications. We propose a definition of robustness for liveness specifications which prescribes, for any number of environment assumptions that are violated, a minimal number of system guarantees that must still be fulfilled. This notion of robustness can be formulated and realized using a Generalized Reactivity formula. We present an algorithm for synthesizing robust systems from such formulas. For the important special case of Generalized Reactivity formulas of rank 1, our algorithm improves the complexity of [PPS06] for large specifications with a small number of assumptions and guarantees

Computing Transitive Closures of Hedge Transformations

We consider the framework of regular hedge model checking where configurations are represented by trees of arbitrary arities, sets of configurations are represented by regular hedge automata, and the dynamic of a system is modeled by a term rewriting system. We consider the problem of computing the transitive closure R ∗ (L) of a hedge automaton L and a (not necessarily structure preserving) term rewriting system R. This construction is not possible in general. Therefore, we present a semi-algorithm that computes, in case of termination, an over-approximation of this reachability set. We show that our procedure computes the exact reachability set in many practical applications. We have successfully applied our technique to compute transitive closures for some mutual exclusion protocols defined on arbitrary width tree topologies, as well as for two interesting XML applications

Register Automata for Malware Specification

International audienceWith the huge impact that internet is having in our daily life, it is becoming urgent to have efficient malware detection techniques. In this paper, we present a new approach to perform malware detection. We use register automata to describe malware specifications, and pushdown systems to model the program. This allows to keep track of both the program's stack and the values of the registers. Indeed, both the stack and the registers are needed to have precise malware specifications. To check whether the program contains some malicious behavior, we perform a kind of product between the pushdown system and the register automaton describing the malicious behaviors. Whether the program is malicious or not is then reduced to reachability checking in pushdown systems. We implemented our techniques in a prototype and obtained encouraging preliminary results