Results 1  10
of
236
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 2408 (62 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
Program Analysis and Specialization for the C Programming Language
, 1994
"... Software engineers are faced with a dilemma. They want to write general and wellstructured programs that are flexible and easy to maintain. On the other hand, generality has a price: efficiency. A specialized program solving a particular problem is often significantly faster than a general program. ..."
Abstract

Cited by 526 (0 self)
 Add to MetaCart
Software engineers are faced with a dilemma. They want to write general and wellstructured programs that are flexible and easy to maintain. On the other hand, generality has a price: efficiency. A specialized program solving a particular problem is often significantly faster than a general program. However, the development of specialized software is timeconsuming, and is likely to exceed the production of today’s programmers. New techniques are required to solve this socalled software crisis. Partial evaluation is a program specialization technique that reconciles the benefits of generality with efficiency. This thesis presents an automatic partial evaluator for the Ansi C programming language. The content of this thesis is analysis and transformation of C programs. We develop several analyses that support the transformation of a program into its generating extension. A generating extension is a program that produces specialized programs when executed on parts of the input. The thesis contains the following main results.
Interprocedural Dataflow Analysis via Graph Reachability
, 1994
"... This paper shows howalarge class of interprocedural dataflowanalysis problems can be solved precisely in polynomial time. The only restrictions are that the set of dataflow facts is a finite set, and that the dataflow functions distribute overthe confluence operator (either union or intersection). ..."
Abstract

Cited by 369 (33 self)
 Add to MetaCart
This paper shows howalarge class of interprocedural dataflowanalysis problems can be solved precisely in polynomial time. The only restrictions are that the set of dataflow facts is a finite set, and that the dataflow functions distribute overthe confluence operator (either union or intersection). This class of problems includesbut is not limited tothe classical separable problems (also known as "gen/kill" or "bitvector" problems)e.g.,reaching definitions, available expressions, and live variables. In addition, the class of problems that our techniques handle includes manynonseparable problems, including trulylive variables, copyconstant propagation, and possiblyuninitialized variables. Anovelaspect of our approach is that an interprocedural dataflowanalysis problem is transformed into a special kind of graphreachability problem (reachability along interprocedurally realizable paths). The paper presents three polynomialtime algorithms for the realizablepath reachability problem: an exhaustive version, a second exhaustive version that may be more appropriate in the incremental and/or interactive context, and a demand version. The first and third of these algorithms are asymptotically faster than the best previously known realizablepath reachability algorithm. An additional benefit of our techniques is that theylead to improved algorithms for twoother kinds of interprocedural analysis problems: interprocedural flowsensitive sideeffect problems (as studied by Callahan) and interprocedural program slicing (as studied by Horwitz, Reps, and Binkley).
A System and Language for Building SystemSpecific, Static Analyses
 In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation
, 2002
"... This paper presents a novel approach to bugfinding analysis and an implementation of that approach. Our goal is to find as many serious bugs as possible. To do so, we designed a flexible, easytouse extension language for specifying analyses and an efficent algorithm for executing these extensions ..."
Abstract

Cited by 195 (14 self)
 Add to MetaCart
This paper presents a novel approach to bugfinding analysis and an implementation of that approach. Our goal is to find as many serious bugs as possible. To do so, we designed a flexible, easytouse extension language for specifying analyses and an efficent algorithm for executing these extensions. The language, metal, allows the users of our system to specify a broad class of analyses in terms that resemble the intuitive description of the rules that they check. The system, xgcc, executes these analyses efficiently using a contextsensitive, interprocedural analysis.
Verification by abstract interpretation
 In Verification: Theory and Practice
, 2003
"... Dedicated to Zohar Manna, for his 2 6 th birthday. Abstract. Abstract interpretation theory formalizes the idea of abstraction of mathematical structures, in particular those involved in the specification of properties and proof methods of computer systems. Verification by abstract interpretation is ..."
Abstract

Cited by 192 (16 self)
 Add to MetaCart
Dedicated to Zohar Manna, for his 2 6 th birthday. Abstract. Abstract interpretation theory formalizes the idea of abstraction of mathematical structures, in particular those involved in the specification of properties and proof methods of computer systems. Verification by abstract interpretation is illustrated on the particular cases of predicate abstraction, which is revisited to handle infinitary abstractions, and on the new parametric predicate abstraction. 1
A Static Analyzer for Large SafetyCritical Software
, 2003
"... We show that abstract interpretationbased static program analysis can be made e#cient and precise enough to formally verify a class of properties for a family of large programs with few or no false alarms. This is achieved by refinement of a general purpose static analyzer and later adaptation to p ..."
Abstract

Cited by 180 (41 self)
 Add to MetaCart
We show that abstract interpretationbased static program analysis can be made e#cient and precise enough to formally verify a class of properties for a family of large programs with few or no false alarms. This is achieved by refinement of a general purpose static analyzer and later adaptation to particular programs of the family by the enduser through parametrization. This is applied to the proof of soundness of data manipulation operations at the machine level for periodic synchronous safety critical embedded software. The main novelties are the design principle of static analyzers by refinement and adaptation through parametrization, the symbolic manipulation of expressions to improve the precision of abstract transfer functions, ellipsoid, and decision tree abstract domains, all with sound handling of rounding errors in floating point computations, widening strategies (with thresholds, delayed) and the automatic determination of the parameters (parametrized packing).
Undecidability of Static Analysis
 ACM Letters on Programming Languages and Systems
, 1992
"... Static Analysis of programs is indispensable to any software tool, environment, or system that requires compile time information about the semantics of programs. With the emergence of languages like C and LISP, Static Analysis of programs with dynamic storage and recursive data structures has bec ..."
Abstract

Cited by 141 (5 self)
 Add to MetaCart
Static Analysis of programs is indispensable to any software tool, environment, or system that requires compile time information about the semantics of programs. With the emergence of languages like C and LISP, Static Analysis of programs with dynamic storage and recursive data structures has become a field of active research. Such analysis is difficult, and the Static Analysis community has recognized the need for simplifying assumptions and approximate solutions. However, even under the common simplifying assumptions, such analyses are harder than previously recognized. Two fundamental Static Analysis problems are May Alias and Must Alias. The former is not recursive (i.e., is undecidable) and the latter is not recursively enumerable (i.e., is uncomputable), even when all paths are executable in the program being analyzed for languages with ifstatements, loops, dynamic storage, and recursive data structures. Categories and Subject Descriptors: D.3.1 [Programming Languages...
Pointer Analysis for Multithreaded Programs
 ACM SIGPLAN 99
, 1999
"... This paper presents a novel interprocedural, flowsensitive, and contextsensitive pointer analysis algorithm for multithreaded programs that may concurrently update shared pointers. For each pointer and each program point, the algorithm computes a conservative approximation of the memory locations ..."
Abstract

Cited by 134 (13 self)
 Add to MetaCart
This paper presents a novel interprocedural, flowsensitive, and contextsensitive pointer analysis algorithm for multithreaded programs that may concurrently update shared pointers. For each pointer and each program point, the algorithm computes a conservative approximation of the memory locations to which that pointer may point. The algorithm correctly handles a full range of constructs in multithreaded programs, including recursive functions, function pointers, structures, arrays, nested structures and arrays, pointer arithmetic, casts between pointer variables of different types, heap and stack allocated memory, shared global variables, and threadprivate global variables. We have implemented the algorithm in the SUIF compiler system and used the implementation to analyze a sizable set of multithreaded programs written in the Cilk multithreaded programming language. Our experimental results show that the analysis has good precision and converges quickly for our set of Cilk programs.
A Schema for Interprocedural Modification SideEffect Analysis With Pointer Aliasing
 In Proceedings of the SIGPLAN '93 Conference on Programming Language Design and Implementation
, 2001
"... The first interprocedural modification sideeffects analysis for C (MOD_C) that obtains better than worstcase precision on programs with generalpurpose pointer usage is presented with empirical results. The analysis consists of an algorithm schema corresponding to a family of MODC algorithms with ..."
Abstract

Cited by 132 (13 self)
 Add to MetaCart
The first interprocedural modification sideeffects analysis for C (MOD_C) that obtains better than worstcase precision on programs with generalpurpose pointer usage is presented with empirical results. The analysis consists of an algorithm schema corresponding to a family of MODC algorithms with two independent phases: one for determining pointerinduced aliases and a subsequent one for propagating interprocedural side effects. These MOD_C algorithms are parameterized by the aliasing method used. The empirical results compare the performance of two dissimilar MOD_C algorithms: MOD_C(FSAlias) uses a flowsensitive, callingcontextsensitive interprocedural alias analysis [LR92]; MOD_C(FIAlias) uses a flowinsensitive, callingcontextinsensitive alias analysis which is much faster, but less accurate. These two algorithms were profiled on 45 programs ranging in size from 250 to 30,000 lines of C code, and the results demonstrate dramatically the possible costprecision tradeoffs. This first comparative implementation of MODC analyses offers insight into the differences between flow/contextsensitive and flow/contextinsensitive analyses. The analysis cost versus precision tradeoffs in sideeffect information obtained is reported. The results show surprisingly that the precision of flowsensitive sideeffect analysis is not always prohibitive in cost, and that the precision of flowinsensitive analysis is substantially better than worstcase estimates and seems sufficient for certain applications. On average MODC (FSAlias) for procedures and calls is in the range of 20% more precise than MODC (F IAlias); however, the performance was found to be at least an order of magnitude slower than MODC (F IAlias).
Towards automatic generation of vulnerabilitybased signatures
, 2006
"... In this paper we explore the problem of creating vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, even polymorphic or metamorphic variants. Our work departs from previous approaches by focusing on the semantics of the program and vulnerability exerci ..."
Abstract

Cited by 130 (26 self)
 Add to MetaCart
In this paper we explore the problem of creating vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, even polymorphic or metamorphic variants. Our work departs from previous approaches by focusing on the semantics of the program and vulnerability exercised by a sample exploit instead of the semantics or syntax of the exploit itself. We show the semantics of a vulnerability define a language which contains all and only those inputs that exploit the vulnerability. A vulnerability signature is a representation (e.g., a regular expression) of the vulnerability language. Unlike exploitbased signatures whose error rate can only be empirically measured for known test cases, the quality of a vulnerability signature can be formally quantified for all possible inputs. We provide a formal definition of a vulnerability signature and investigate the computational complexity of creating and matching vulnerability signatures. We also systematically explore the design space of vulnerability signatures. We identify three central issues in vulnerabilitysignature creation: how a vulnerability signature represents the set of inputs that may exercise a vulnerability, the vulnerability coverage (i.e., number of vulnerable program paths) that is subject to our analysis during signature creation, and how a vulnerability signature is then created for a given representation and coverage. We propose new dataflow analysis and novel adoption of existing techniques such as constraint solving for automatically generating vulnerability signatures. We have built a prototype system to test our techniques. Our experiments show that we can automatically generate a vulnerability signature using a single exploit which is of much higher quality than previous exploitbased signatures. In addition, our techniques have several other security applications, and thus may be of independent interest. 1