DOCSLIB.ORG

Ph.D Thesis: WYSINWYX What You See Is Not What You Execute

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Ph.D Thesis: WYSINWYX What You See Is Not What You Execute WYSINWYX: WHAT YOU SEE IS NOT WHAT YOU EXECUTE by Gogul Balakrishnan A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Sciences Department) at the UNIVERSITY OF WISCONSIN–MADISON 2007 c Copyright by Gogul Balakrishnan 2007 All Rights Reserved i To my beloved grandma Rajakrishnammal::: ii ACKNOWLEDGMENTS First of all, I would like to thank my parents Mr. Balakrishnan and Mrs. Manickam for making my education a priority even in the most trying circumstances. Without their love and constant support, it would not have been possible for me to obtain my Ph.D. Next, I would like to thank my advisor, Prof. Thomas Reps, who, without an iota of exagger- ation, was like a father to me in the US. He taught me the importance of working from the basics and the need for clarity in thinking. I have learnt a lot of things from him outside work: writing, sailing, safety on the road, and so on; the list is endless. He was a source of constant support and inspiration. He usually goes out of his way to help his students—he was with me the whole night when we submitted our first paper! I don’t think my accomplishments would have been possible without his constant support. Most of what I am as a researcher is due to him. Thank you, Tom. I would also like to thank GrammaTech, Inc. for providing the basic infrastructure for CodeSurfer/x86. I am really grateful to Prof. Tim Teitelbaum for allocating the funds and the time at GrammaTech to support our group at the University of Wisconsin. Special thanks go to Radu Gruian and Suan Yong, who provided high-quality software and support. I have always enjoyed the discussions and the interactions I had with them. Furthermore, I would like to thank Prof. Nigel Boston, Prof. Susan Horwitz, Prof. Ben Liblit, and Prof. Mike Swift for being on my committee and for the stimulating discussions during my defense. I would like to specially thank Prof. Susan Horwitz, Prof. Tom Reps, and Prof. Mike Swift for their insightful comments on a draft of my dissertation. Their comments have definitely improved the readability of this dissertation. I would also like to thank Prof. V. Uma Maheswari, who introduced me to compilers at Anna University. She also taught me to take life as it is. iii I would like to specially thank Junghee Lim for being a great office mate and also for taking over the implementation of some parts of the analysis algorithms in CodeSurfer/x86. In addi- tion, I would like to thank the other students in PL research: Evan Driscoll, Denis Gopan, Nick Kidd, Raghavan Komondoor, Akash Lal, Alexey Loginov, Dave Melski, Anne Mulhern, and Cindy Rubio Gonzalez.´ I have always had interesting discussions with them and their feedback on my presentations have always been helpful. I would also like to thank the members of the Wisconsin Safety Analyzer (WiSA) group: Prof. Somesh Jha, Prof. Bart Miller, Mihai Christodorescu, Vinod Ganapathy, Jon Giffin, Shai Rubin, and Hao Wang. I have always enjoyed being part of the WiSA group, and the bi-yearly trips for the project reviews were always fun. My dissertation research was supported by a number of sources, including the Office of Naval Research, under grant N00014-01-1-0708, the Homeland Security Advanced Research Projects Agency (HSARPA) under AFRL contract FA8750-05-C-0179, and the Disruptive Technology Of- fice (DTO) under AFRL contract FA8750-06-C-0249. I am thankful to our ONR program man- agers Dr. Ralph Wachter and Gary Toth for their support. Finally, I would like to thank my sister Arini, and my friends, Anto, George, Jith, Muthian, Piramanayagam, Prabu, Pranay, Sanjay, Senthil, Veeve, Vicky, and Vinoth, for making my six years in Madison less stressful. I will always remember the Tamil, Telugu, Hindi, and English movies we watched late in the night on a BIG screen at Oaktree. Moreover, I cannot forget our Idlebrain Cricket Club. DISCARD THIS PAGE iv TABLE OF CONTENTS Page LIST OF TABLES ....................................... vii LIST OF FIGURES ...................................... viii ABSTRACT .......................................... xi 1 Introduction ........................................1 1.1 Advantages of Analyzing Executables........................8 1.2 Challenges in Analyzing Executables........................ 10 1.2.1 No Debugging/Symbol-Table Information.................. 11 1.2.2 Lack Of Variable-like Entities........................ 12 1.2.3 Information About Memory-Access Expressions.............. 12 1.3 CodeSurfer/x86: A Tool for Analyzing Executables................. 13 1.4 The Scope of Our Work................................ 16 1.5 Contributions and Organization of the Dissertation................. 18 2 An Abstract Memory Model ............................... 20 2.1 Memory-Regions................................... 21 2.2 Abstract Locations (A-Locs)............................. 23 3 Value-Set Analysis (VSA) ................................. 26 3.1 Value-Set....................................... 28 3.2 Abstract Environment (AbsEnv)........................... 30 3.3 Representing Abstract Stores Efficiently....................... 31 3.4 Intraprocedural Analysis............................... 32 3.4.1 Idioms.................................... 37 3.4.2 Predicates for Conditional Branch Instructions............... 38 3.5 Interprocedural Analysis............................... 39 3.5.1 Abstract Transformer for call!enter Edge................. 41 3.5.2 Abstract Transformer for exit!end-call Edge................ 43 v Page 3.5.3 Interprocedural VSA algorithm....................... 44 3.6 Indirect Jumps and Indirect Calls........................... 45 3.7 Context-Sensitive VSA................................ 46 3.7.1 Call-Strings.................................. 46 3.7.2 Context-Sensitive VSA Algorithm...................... 48 3.7.3 Memory-Region Status Map......................... 49 3.8 Soundness of VSA.................................. 49 4 Value-Set Arithmetic ................................... 51 4.1 Notational Conventions................................ 51 4.2 Strided-Interval Arithmetic.............................. 51 4.2.1 Addition (+si)................................. 53 si 4.2.2 Unary Minus (−u).............................. 55 4.2.3 Subtraction (−si), Increment (++si), and Decrement (−−si)........ 56 4.2.4 Bitwise Or (jsi)................................ 56 4.2.5 Bitwise not (∼si), And (&si), and Xor (^si).................. 60 4.2.6 Strided-Interval Arithmetic for Different Radices.............. 60 4.3 Value-Set Arithmetic................................. 62 4.3.1 Addition (+vs)................................ 63 4.3.2 Subtraction (−vs)............................... 64 4.3.3 Bitwise And (&vs), Or (jvs), and Xor (^vs).................. 64 4.3.4 Value-Set Arithmetic for Different Radices................. 65 5 Improving the A-loc Abstraction ............................. 66 5.1 Overview of our Approach.............................. 67 5.1.1 The Problem of Indirect Memory Accesses................. 67 5.1.2 The Problem of Granularity and Expressiveness............... 69 5.2 Background...................................... 71 5.2.1 Aggregate Structure Identification (ASI)................... 72 5.3 Recovering A-locs via Iteration............................ 75 5.4 Generating Data-Access Constraints......................... 77 5.5 Interpreting Indirect Memory-References...................... 81 5.6 Hierarchical A-locs.................................. 85 5.7 Convergence..................................... 86 5.8 Pragmatics....................................... 87 5.9 Experiments...................................... 87 5.9.1 Comparison of A-locs with Program Variables............... 88 5.9.2 Usefulness of the A-locs for Static Analysis................. 91 vi Page 6 Recency-Abstraction for Heap-Allocated Storage ................... 97 6.1 Problems in Using the Allocation-Site Abstraction in VSA............. 100 6.1.1 Contents of the Fields of Heap-Allocated Memory-Blocks......... 101 6.1.2 Resolving Virtual-Function Calls in Executables.............. 101 6.2 An Abstraction for Heap-Allocated Storage..................... 104 6.3 Formalizing The Recency-Abstraction........................ 106 6.4 Experiments...................................... 110 7 Other Improvements to VSA ............................... 113 7.1 Widening....................................... 113 7.2 Affine-Relation Analysis (ARA)........................... 116 7.3 Limited Widening................................... 118 7.4 Priority-based Iteration................................ 119 7.4.1 Experiments................................. 122 7.5 GMOD-based Merge Function............................ 122 7.5.1 Experiments................................. 125 8 Case Study: Analyzing Device Drivers ......................... 134 8.1 Background...................................... 135 8.2 The Need For Path-Sensitivity In Device-Driver Analysis.............. 135 8.3 Path-Sensitive VSA.................................. 138 8.4 Experiments...................................... 140 9 Related Work ....................................... 148 9.1 Information About Memory Accesses in Executables................ 148 9.2 Identification of Structures.............................. 154 9.3 Recency-Abstraction For Heap-Allocated Storage.................. 156 10 Conclusions And Future Directions ........................... 159 LIST OF REFERENCES ................................... 163 DISCARD THIS PAGE vii LIST OF TABLES Table Page
Load more

Recommended publications
  • Advanced Slicing of Sequential and Concurrent Programs Jens Krinke
    Advanced Slicing of Sequential and Concurrent Programs Jens Krinke April 2003 Dissertation zur Erlangung des Doktorgrades in den Naturwissenschaften ii Acknowledgments First of all, I wish to thank my adviser Gregor Snelting for providing the sup- port, freedom and protection to do research without pressure. A big ‘sorry’ goes to him, to the second reviewer, Tim Teitelbaum, and to David Melski, be- cause this thesis has become longer than expected—thanks for reading it and the valuable comments. Without the love and support of Uta von Holten, this work would not have been possible. She always believed in me, although this thesis took too long to finish. I thank my parents for enabling my career. A big ‘thank you’ goes to my students who helped a lot by implement- ing parts of the presented techniques. First of all the former students at TU Braunschweig: Frank Ehrich, who implemented the user interface of the VAL- SOFT system (14.1.6) including the graphical visualization of program depen- dence graphs, slices and chops (9.1), Christian Bruns implemented the constant propagation (11.2.2), Torsten Königshagen implemented the call graph con- struction (11.2.1), Stefan Konst implemented the approximate dynamic slicing (14.1.8), and Carsten Schulz implemented the common subexpression elimina- tion (11.2.3). Students from Universität Passau were: Silvia Breu implemented the chop visualization (10.4), Daniel Gmach implemented the textual visual- ization of slices (9.2) and duplicated code (12.2.2), Alexander Wrobel imple- mented the distance-limited slicing (10.1), and Thomas Zimmermann imple- mented some chopping algorithms (10.2).
    [Show full text]
  • Workshop on the Evaluation of Software Defect Detection Tools
    Workshop on the Evaluation of Software Defect Detection Tools Sunday, June 12th, 2005 Co-located with PLDI 2005 Workshop co-chairs: William Pugh (University of Maryland) and Jim Larus (Microsoft Research) Program chair: Dawson Engler (Stanford University) Program Committee: Andy Chou, Manuvir Das, Michael Ernst, Cormac Flanagan, Dan Grossman, Jonathan Pincus, Andreas Zeller Time What Time What 8:30 am Discussion on Soundness 2:30 pm break 2:45 pm Research presentations The Soundness of Bugs is What Matters, Patrice Godefroid, Bell Laboratories, Lucent Technologies Experience from Developing the Dialyzer: A Static Soundness and its Role in Bug Detection Systems, Analysis Tool Detecting Defects in Erlang Yichen Xie, Mayur Naik, Brian Hackett, Alex Applications, Kostis Sagonas, Uppsala University Aiken, Stanford University Soundness by Static Analysis and False-alarm Removal by Statistical Analysis: Our Airac 9:15 am break Experience, Yungbum Jung, Jaehwang Kim, Jaeho 9:30 am Research presentations Sin, Kwangkeun Yi, Seoul National University Locating Matching Method Calls by Mining 3:45 pm break Revision History Data, Benjamin Livshits, 4:00 pm Discussion of Benchmarking Thomas Zimmermann, Stanford University Evaluating a Lightweight Defect Localization Dynamic Buffer Overflow Detection, Michael Tool, Valentin Dallmeier, Christian Lindig, Zhivich, Tim Leek, Richard Lippmann, MIT Andreas Zeller, Saarland University Lincoln Laboratory Using a Diagnostic Corpus of C Programs to 10:30 am break Evaluate Buffer Overflow Detection by Static 10:45 am Invited talk on Deployment and Adoption, Manuvir Das, Analysis Tools, Kendra Kratkiewicz, Richard Microsoft Lippmann, MIT Lincoln Laboratory 11:15 am Discussion of Deployment and Adoption BugBench: A Benchmark for Evaluating Bug Detection Tools, Shan Lu, Zhenmin Li, Feng Qin, The Open Source Proving Grounds, Ben Liblit, Lin Tan, Pin Zhou, Yuanyuan Zhou, UIUC University of Wisconsin-Madison Benchmarking Bug Detection Tools.
    [Show full text]
  • Self-Adjusting Computation with Delta ML
    Self-Adjusting Computation with Delta ML Umut A. Acar1 and Ruy Ley-Wild2 1 Toyota Technological Institute Chicago, IL, USA [email protected] 2 Carnegie Mellon University Pittsburgh, PA, USA [email protected] Abstract. In self-adjusting computation, programs respond automati- cally and efficiently to modifications to their data by tracking the dy- namic data dependences of the computation and incrementally updating the output as needed. In this tutorial, we describe the self-adjusting- computation model and present the language ∆ML (Delta ML) for writ- ing self-adjusting programs. 1 Introduction Since the early years of computer science, researchers realized that many uses of computer applications are incremental by nature. We start an application with some initial input to obtain some initial output. We then observe the output, make some small modifications to the input and re-compute the output. We often repeat this process of modifying the input incrementally and re-computing the output. In many applications, incremental modifications to the input cause only incremental modifications to the output, raising the question of whether it would be possible to update the output faster than recomputing from scratch. Examples of this phenomena abound. For example, applications that interact with or model the physical world (e.g., robots, traffic control systems, schedul- ing systems) observe the world evolve slowly over time and must respond to those changes efficiently. Similarly in applications that interact with the user, application-data changes incrementally over time as a result of user commands. For example, in software development, the compiler is invoked repeatedly after the user makes small changes to the program code.
    [Show full text]
  • Adaptive Functional Programming∗
    Adaptive Functional Programming∗ Umut A. Acar† Guy E. Blelloch‡ Robert Harper§ May 5, 2006 Abstract We present techniques for incremental computing by introducing adaptive functional pro- gramming. As an adaptive program executes, the underlying system represents the data and control dependences in the execution in the form of a dynamic dependence graph. When the input to the program changes, a change propagation algorithm updates the output and the dynamic dependence graph by propagating changes through the graph and re-executing code where necessary. Adaptive programs adapt their output to any change in the input, small or large. We show that adaptivity techniques are practical by giving an efficient implementation as a small ML library. The library consists of three operations for making a program adaptive, plus two operations for making changes to the input and adapting the output to these changes. We give a general bound on the time it takes to adapt the output, and based on this, show that an adaptive Quicksort adapts its output in logarithmic time when its input is extended by one key. To show the safety and correctness of the mechanism we give a formal definition of AFL, a call-by-value functional language extended with adaptivity primitives. The modal type system of AFL enforces correct usage of the adaptivity mechanism, which can only be checked at run time in the ML library. Based on the AFL dynamic semantics, we formalize the change-propagation algorithm and prove its correctness. 1 Introduction Incremental computation concerns maintaining the input-output relationship of a program as the input of a program undergoes changes.
    [Show full text]
  • Secure Programs Via Game-Based Synthesis
    Secure Programs via Game-based Synthesis Somesh Jha Tom Reps Bill Harris University of Wisconsin (Madison) ABSTRACT Several recent operating systems provide system calls that allow an application to explicitly manage the privileges of modules with which the application interacts. Such privilege-aware operating systems allow a programmer to a write a program that satisfies a strong security policy, even when the program interacts with untrusted modules. However, it is often non-trivial to rewrite a program to correctly use the system calls to satisfy a high-level security policy. This paper concerns the policy-weaving problem, which is to take as input a program, a desired high-level policy for the program, and a description of how system calls affect privilege, and automatically rewrite the program to invoke the system calls so that it satisfies the policy. We describe a reduction from the policy-weaving problem to finding a winning strategy to a two-player safety game. We then describe a policy-weaver generator that implements the reduction and a novel game-solving algorithm, and present an experimental evaluation of the generator applied to a model of the Capsicum capability system. We conclude by outlining ongoing work in applying the generator to a model of the HiStar decentralized-information-flow control (DIFC) system. SHORT BIOGRAPHIES Somesh Jha received his B.Tech from Indian Institute of Technology, New Delhi in Electrical Engineering. He received his Ph.D. in Computer Science from Carnegie Mellon University in 1996. Currently, Somesh Jha is a Professor in the Computer Sciences Department at the University of Wisconsin (Madison), which he joined in 2000.
    [Show full text]
  • Incremental Attribute Evaluation for Multi-User Semantics-Based Editors
    Incremental Attribute Evaluation for Multi-User Semantics-Based Editors Josephine Micallef Columbia University Department of Computer Science New York, NY 10027 May 1991 CUCS-023-91 Incremental Attribute Evaluation for Multi-User Semantics-Based Editors Josephine Micallef Submitted in panial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of Arts and Sciences. Columbia University 1991 Copyright © 1991 Josephine Micallef ALL RIGHTS RESERVED Abstract Incremental Attribute Evaluation for Multi-User Semantics-Based Editors Josephine Micallef This thesis addresses two fundamental problems associated with perfonning incremental attribute evaluation in multi-user editors based on the attribute grammar formalism: (1) multiple asynchronous modifications of the attributed derivation tree, and (2) segmentation of the tree into separate modular units. Solutions to these problems make it possible to construct semantics-based editors for use by teams of programmers developing or maintaining large software systems. Multi-user semantics­ based editors improve software productivity by reducing communication costs and snafus. The objectives of an incremental attribute evaluation algorithm for multiple asynchronous changes are that (a) all attributes of the derivation tree have correct values when evaluation terminates, and (b) the cost of evaluating attributes necessary to reestablish a correctly attributed derivation tree is minimized. We present a family of algorithms that differ in how they balance the tradeoff between algorithm efficiency and expressiveness of the attribute grammar. This is important because multi-user editors seem a practical basis for many areas of computer-supported cooperative work, not just programming. Different application areas may have distinct definitions of efficiency, and may impose different requirements on the expressiveness of the attribute grammar.
    [Show full text]