DOCSLIB.ORG

On the Impact of Memory Corruption Vulnerabilities in Client Applications

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
On the Impact of Memory Corruption Vulnerabilities in Client Applications On the Impact of Memory Corruption Vulnerabilities in Client Applications Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨atf¨urElektrotechnik und Informationstechnik an der Ruhr-Universit¨atBochum vorgelegt von Robert Gawlik aus Tichau 2016 Tag der m¨undlichen Pr¨ufung:7. September 2016 Gutachter: Prof. Dr. Thorsten Holz, Ruhr-Universit¨atBochum Zweitgutachter: Prof. Dr. Herbert Bos, Vrije Universiteit Amsterdam Abstract Client programs are omnipresent in our digital age. Especially, web browsers are used by an enormous number of users for various tasks. These tasks include information gather- ing, social media activities or communication with each other. As the popularity of web browsers has grown, attackers shifted their attention towards this kind of client-side soft- ware to compromise systems. Because of their huge code base and tremendous complexity, exploitable vulnerabilities exist in a vast number in these programs. In this thesis, various impacts of memory corruption vulnerabilities in client-side soft- ware are investigated from an offensive and a defensive perspective. The exploitation pro- cess of vulnerabilities in web browsers may obey certain steps, carried out subsequently. Usually, an adversary needs to find information about the address space of the vulnerable program. This important step is called information leak or memory disclosure. Once the attacker has gained enough knowledge about the address space of the program, she is able to hijack the control flow. This thesis considers information leaks and control-flow hijacking from attackers' and defenders' viewpoints. We extend the technique of information leaks with a behavior in web browsers which was not known to that extend before (crash resistance). Therefore, the program is kept alive, although it should terminate due to critical memory errors, such as an illegal read access. This allows to evaluate defenses from an adversarial perspective, which promise to keep address space information of the program a secret from attackers. Information leaks are also approached from a defensive perspective. To detect this step of an exploit we introduce a concept for script engines, i. e., JavaScript. Therefore, two simultaneous processes of the same program are executed in parallel and their execution flow is synchronized. As we enforce a different address space layout in both of them, a memory disclosure manifests itself differently in both processes and can be unveiled. This thesis also addresses control-flow hijacking. Code reuse is currently the most com- mon method to perform arbitrary computations after gaining control of the execution. For an adversary it is important to assess the quantity of code she can reuse. Hence, we in- troduce a framework to help evaluating specific control-flow integrity defenses. Therefore, we attempt to analyze a given program in an architecture independent way to maximize the amount of reusable code which conforms to CFI policies. Attackers are able to hijack the control flow in browsers with vtable hijacking. This thesis approaches this widely used, offensive technique from a defensive perspective. Vir- tual function tables (vtables) injected by attackers into the address space differ from real vtables. By using various heuristics and techniques we are the first to show that a vtable- hijacking mitigation for binary-only code is possible. i Zusammenfassung In unserem digitalen Zeitalter sind clientseitige Anwendungen allgegenw¨artig. Insbeson- dere Webbrowser werden von sehr vielen Benutzern f¨uretliche T¨atigkeiten verwendet. Darunter f¨alltdie Informationsgewinnung, die Aktivit¨atin sozialen Medien oder die Kom- munikation der Benutzer untereinander. Da die Popularit¨atvon Webbrowsern gewachsen ist, haben auch Angreifer ihre Aufmerksamkeit auf diese Clientanwendungen gerichtet, um in Computersysteme einzubrechen. Wegen ihrer großen Codebasis und enormen Kom- plexit¨atexistieren viele ausnutzbare Speicherfehler in diesen Programmen. In dieser Dissertation werden verschiedene Auswirkungen von Speicherfehlern in Client- anwendungen aus offensiven und defensiven Gesichtspunkten untersucht. Der Ausnutzungs- prozess von Schwachstellen (engl. Exploit) kann in verschiedene, aufeinanderfolgende Schrit- te unterteilt werden. Der Angreifer ben¨otigtmeist Informationen ¨uber den Adressraum des verwundbaren Programms. Dieser wichtige Schritt wird auch Informationsleck (engl. Information Leak) oder Speicherenth¨ullung (engl. Memory Disclosure) genannt. Sobald der Angreifer gen¨ugendWissen ¨uber den Adressraum des Programms gesammelt hat, ist er in der Lage, den Kontrollfluss des Programms zu ¨ubernehmen. Dieser Schritt wird auch als Control-Flow Hijacking bezeichnet. In dieser Dissertation werden Information Leaks und Control-Flow Hijacking aus der Perspektive von Angreifern als auch Verteidigern betrachtet. Wir kombinieren die Technik von Information Leaks mit einem Verhalten in Browsern, welches bisher in diesem Ausmaß unbekannt war (Absturzresistenz, engl. Crash Resis- tance). Dabei wird das Programm am Laufen gehalten, obwohl es aufgrund kritischer Spei- cherfehler, wie beispielsweise eines illegalen Lesezugriffs, terminieren sollte. Dieser Ansatz erlaubt es uns, aus der Angreiferperspektive Verteidigungsans¨atzezu beurteilen, die ver- sprechen, den Adressraum vor Angreifern geheimzuhalten. Aus der Sicht eines Verteidigers werden Information Leaks ebenfalls betrachtet. Um diesen Schritt eines Angriffs zu erken- nen wird ein Konzept f¨ursog. Scripting-Umgebungen, wie JavaScript, vorgestellt. Dabei werden zwei Prozesse des gleichen Programms in ihrer Ausf¨uhrungsynchronisiert. Da wir in beiden einen unterschiedlichen Adressraum erzwingen, manifestiert sich ein Information Leak unterschiedlich in beiden Prozessen und kann detektiert werden. Auch widmet sich diese Dissertation dem Schritt der Kontrollfluss¨ubernahme. Die Wiederverwendung von Code ist momentan die g¨angigsteMethode beliebige Berechnun- gen durchzuf¨uhren,sobald der Programmfluss kontrolliert wird. Aus der Sicht eines An- greifers ist es wichtig zu wissen, wie viel Code wiederverwendbar ist. Daher wird ein System vorgestellt, welches helfen soll, spezielle Defensivmaßnahmen { sog. Control-Flow Integrity-L¨osungen(CFI) { zu beurteilen. Dabei wird architekturunabh¨angigversucht, die Menge an wiederverwendbarem Code, der CFI-Regeln entspricht, zu maximieren. Angreifer k¨onnenin Browsern den Kontrollfluss ¨uber sog. Vtable Hijacking ¨ubernehmen. Diese Dissertation betrachtet diese weitverbreitete, offensive Technik aus der Perspek- tive eines Verteidigers. Spezielle Funktionstabellen (sog. Vtables), die von Angreifern im Adressraum abgelegt werden, unterscheiden sich von echten Vtables. Unter der Benutzung verschiedener Heuristiken und Techniken zeigen wir als Erste, dass eine Abschw¨achung von Vtable Hijacking-Angriffen f¨urbin¨areProgramme m¨oglich ist. iii Acknowledgements It is a great pleasure to thank everybody who made this thesis possible. First of all I want to sincerely thank my advisor Prof. Dr. Thorsten Holz for giving me the opportunity of being part of the Systems Security group at the Ruhr University Bochum. He provided me with a pleasant and productive research environment and always supported me during the last four years. I had the chance to focus on research topics I was interested in and was able to collaborate with many friendly people sharing the same passion for security research. I am very happy for working together with many colleagues on many challenging and exciting projects. I am thankful to Sebastian Vogl, Thomas Kittel and Jonas Pfoh for a fruitful, effective collaboration and the time we spent together at various places. I had pro- ductive discussions with Benjamin Kollenda, Philipp Koppe, Jannik Pewny about thrilling ideas and research topics. Many of them culminated in highly interesting projects or pub- lications. During the time at lab it was a pleasure to work with Behrad Garmany, with whom I was sharing an office for the last three years. We had many valuable conversations and a lot of fun not only at our working place. I am also thankful for all people at the chair for the time we spent at the university or elsewhere. Since the day I started they gave me the feeling of belonging to the same glorious team. I was very fortunate to work with, publish with or get inspired by Carsten Willems, Ralf Hund, Felix Schuster, Tilman Frosch, Johannes Hoffmann, Thomas Hupperich, Sebastian Uellenbeck, Teemu Rytilahti, Patrick Wollgast, Moritz Contag, Andre Pawlowski, Johannes Dahse, Christian R¨opke, Apostolis Zarras and Marc K¨uhrer. I want to thank my parents and Corina Costea for their support during all the time. Without you I would not have been able to either start or finish this thesis. v Contents 1 Introduction 1 1.1 The Arms Race between Attacks and Defenses . 3 1.2 Thesis Contributions . 4 1.3 Thesis Organization . 7 1.4 Publications . 8 2 Enabling Crash-Resistance to Evaluate Memory Secrecy Protections 9 2.1 Introduction . 9 2.1.1 Subverting Information Hiding . 10 2.1.2 Novel Memory Probing Method . 10 2.2 Technical Background . 11 2.2.1 Adversary Model . 11 2.2.2 Randomization Techniques . 12 2.2.3 Security by Information Hiding . 13 2.3 Unveiling Hidden Memory . 15 2.3.1 Fault-Tolerant Functionality . 15 2.3.2 Crash-Resistance . 16 2.3.3 Memory Oracles . 18 2.3.4 Web Workers as Probing Agents . 20 2.3.5 Finding Unreachable Memory Regions . 20 2.3.6 Subverting Hidden Code Layouts . 24 2.4 Conquering (Re-)Randomization . 25 2.4.1 Defeating
Load more

Recommended publications
  • Defeating Memory Corruption Attacks Via Pointer Taintedness Detection
    Defeating Memory Corruption Attacks via Pointer Taintedness Detection Shuo Chen †, Jun Xu ‡, Nithin Nakka †, Zbigniew Kalbarczyk †, Ravishankar K. Iyer † † Center for Reliable and High-Performance Computing, ‡ Department of Computer Science University of Illinois at Urbana-Champaign, North Carolina State University 1308 W. Main Street, Urbana, IL 61801 Raleigh, NC 27695 {shuochen, nakka, kalbar, iyer}@crhc.uiuc.edu [email protected] Abstract formal methods have been adopted to prevent Most malicious attacks compromise system security programmers from writing insecure software. But despite through memory corruption exploits. Recently proposed substantial research and investment, the state of the art is techniques attempt to defeat these attacks by protecting far from perfect, and as a result, security vulnerabilities are program control data. We have constructed a new class of constantly being discovered in the field. The most direct attacks that can compromise network applications without counter-measure against vulnerabilities in the field is tampering with any control data. These non-control data security patching. Patching, however, is reactive in nature attacks represent a new challenge to system security. In and can only be applied to known vulnerabilities. The long this paper, we propose an architectural technique to latency between bug discovery and patching allows defeat both control data and non-control data attacks attackers to compromise many unpatched systems. An based on the notion of pointer taintedness . A pointer is alternative to patching is runtime vulnerability masking said to be tainted if user input can be used as the pointer that can stop ongoing attacks. Compiler and library value. A security attack is detected whenever a tainted interception techniques have been proposed to mask value is dereferenced during program execution.
    [Show full text]
  • Representing and Reasoning About Dynamic Code
    Representing and reasoning about dynamic code Item Type Proceedings Authors Bartels, Jesse; Stephens, Jon; Debray, Saumya Citation Bartels, J., Stephens, J., & Debray, S. (2020, September). Representing and Reasoning about Dynamic Code. In 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE) (pp. 312-323). IEEE. DOI 10.1145/3324884.3416542 Publisher ACM Journal Proceedings - 2020 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020 Rights © 2020 Association for Computing Machinery. Download date 23/09/2021 23:26:56 Item License http://rightsstatements.org/vocab/InC/1.0/ Version Final accepted manuscript Link to Item http://hdl.handle.net/10150/652285 Representing and Reasoning about Dynamic Code Jesse Bartels Jon Stephens Saumya Debray Department of Computer Science Department of Computer Science Department of Computer Science The University Of Arizona University Of Texas The University Of Arizona Tucson, AZ 85721, USA Austin, TX 78712, USA Tucson, AZ 85721, USA [email protected] [email protected] [email protected] ABSTRACT and trace dependencies back, into and through the JIT compiler’s Dynamic code, i.e., code that is created or modified at runtime, is code, to understand the data and control flows that influenced the ubiquitous in today’s world. The behavior of dynamic code can JIT compiler’s actions and caused the generation of the problem- depend on the logic of the dynamic code generator in subtle and non- atic code. E.g., for the CVE-2017-5121 bug mentioned above, we obvious ways, e.g., JIT compiler bugs can lead to exploitable vul- might want to perform automated analyses to identify which anal- nerabilities in the resulting JIT-compiled code.
    [Show full text]
  • Microsoft and Cray to Unveil $25,000 Windows-Based Supercomputer
    AAll About Microsoft: l lCodeTracker A monthly look at Microsoft’s codenames and what they Areveal about the direction of the company. b o u t M i c r o s o f t : All About Microsoft CodeTracker Keeping track of Microsoft's myriad codenames is an (almost) full-time occupation. I know, as I spend a lot of my work hours tracking down the latest names in the hopes of being able to better keep tabs on what's coming next from the Redmondians. Each month, I'll be releasing an updated, downloadable version of the CodeTracker. I'll add new codenames -- arranged in alphabetical order by codename -- of forthcoming Microsoft products and technologies. I also will note timing changes (date slips, the release of a new test build, the disappearance of a planned deliverable) for entries that are already part of the Tracker. Once Microsoft releases the final version of a product or technology I've been tracking, I will remove it from the Tracker. In that way, the CodeTracker will remain focused on futures. (An aside about the Tracker: A question mark in place of an entry means I have insufficient information to hazard even an educated guess about a particular category.) If you have suggested new entries or corrections to existing ones, please drop me an e-mail at mjf at microsofttracker dot com. Thanks! Mary Jo Foley, Editor, ZDNet's "All About Microsoft" blog This Month's Theme: Big iron needs love, too If you went by nothing but blog and publication headlines, you might think mobile phones and slates are where all the innovation is these days.
    [Show full text]
  • Discovery Attender User Guide
    Welcome Sherpa Software's Discovery Attender is a software tool designed to automate the search and collection of electronically stored information across a variety of platforms. This dynamic solution sits behind the firewall and enables in-house talent to identify and gather responsive information in a timely, defensible manner. The Discovery Attender interface is designed to be intuitive and user friendly. The Welcome Screen (above) serves as the gateway to the product. From here you can directly open the PreSearch Tool or create a project. A project serves as a repository for a collection - related searches and associated result sets. Once a new pro- ject is created, the MAIN CONSOLE acts as the central hub to allow you to control the creation, processing, and organization of searches. From here, you can access a Search Wizard which guides you through the step-by- step process of creating a new search. The MAIN CONSOLE also provides access to the Result Management features to view, organize, export and report on the messages, attachments and files that are found during your custom searches. Where to Begin To effectively filter and produce data with Discovery Attender, you must first create a project . Once a project is created, follow the steps below to begin the process: Step Action Description 1 Create and Run A Search A setup wizard leads you through the process of selecting locations and criteria to include in your search. Once started, the chosen data stores are scanned to find items (called results) that match the selected criteria. Information and metadata from these results are stored in the search data- bases.
    [Show full text]
  • Autogr: Automated Geo-Replication with Fast System Performance and Preserved Application Semantics
    AutoGR: Automated Geo-Replication with Fast System Performance and Preserved Application Semantics Jiawei Wang1, Cheng Li1,4, Kai Ma1, Jingze Huo1, Feng Yan2, Xinyu Feng3, Yinlong Xu1,4 1University of Science and Technology of China 2University of Nevada, Reno 3State Key Laboratory for Novel Software Technology, Nanjing University 4Anhui Province Key Laboratory of High Performance Computing [email protected],{chengli7,ylxu}@ustc.edu.cn,{ksqsf,jzfire}@mail.ustc.edu.cn,[email protected],[email protected] ABSTRACT static runtime Geo-replication is essential for providing low latency response AP AP and quality Internet services. However, designing fast and correct Analyzer Code App ( Rigi ) geo-replicated services is challenging due to the complex trade-off US EU US EU between performance and consistency semantics in optimizing the expensive cross-site coordination. State-of-the-art solutions rely Restrictions on programmers to derive sufficient application-specific invariants Cross-site Causally Consistent Schema Coordination and code specifications, which is both time-consuming and error- Database Service Geo-Replicated Store prone. In this paper, we propose an end-to-end geo-replication APP Servers deployment framework AutoGR (AUTOmated Geo-Replication) to free programmers from such label-intensive tasks. AutoGR en- Figure 1: An overview of the proposed end-to-end AutoGR ables the geo-replication features for non-replicated, serializable solution. AP, US, and EU stand for data centers in Singapore, applications in an automated way with optimized performance and Oregon, and Frankfurt, respectively. The runtime library is correct application semantics. Driven by a novel static analyzer Rigi, co-located with Server, omitted from the graph.
    [Show full text]
  • Visual Studio Team Test Quick Reference a Quick Reference for Users of the Team Testing Features of Visual Studio Team System
    MICROSOFT Visual Studio Team Test Quick Reference A quick reference for users of the Team Testing features of Visual Studio Team System Geoff Gray and the Microsoft VSTS Rangers team 3/30/2009 VSTS Rangers This content was originally created by Geoff Gray for internal Microsoft use and then adopted and expanded as a Visual Studio Team System (“VSTS”) Rangers project. “Our mission is to accelerate the adoption of Team System by delivering out of band solutions for missing features or guidance. We work closely with members of Microsoft Services to make sure that our solutions address real world blockers.” -- Bijan Javidi, VSTS Rangers Lead Copyright 2009 Microsoft Corporation Page | 1 Summary This document is a collection of items from public blog sites, Microsoft® internal discussion aliases (sanitized) and experiences from various Test Consultants in the Microsoft Services Labs. The idea is to provide quick reference points around various aspects of Microsoft Visual Studio® Team Test edition that may not be covered in core documentation, or may not be easily understood. The different types of information cover: How does this feature work under the covers? How can I implement a workaround for this missing feature? This is a known bug and here is a fix or workaround. How do I troubleshoot issues I am having? The document contains two Tables of Contents (high level overview, and list of every topic covered) as well as an index. The current plan is to update the document on a regular basis as new information is found. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.
    [Show full text]
  • Software License Agreement (EULA)
    Third-party Computer Software AutoVu™ ALPR cameras • angular-animate (https://docs.angularjs.org/api/ngAnimate) licensed under the terms of the MIT License (https://github.com/angular/angular.js/blob/master/LICENSE). © 2010-2016 Google, Inc. http://angularjs.org • angular-base64 (https://github.com/ninjatronic/angular-base64) licensed under the terms of the MIT License (https://github.com/ninjatronic/angular-base64/blob/master/LICENSE). © 2010 Nick Galbreath © 2013 Pete Martin • angular-translate (https://github.com/angular-translate/angular-translate) licensed under the terms of the MIT License (https://github.com/angular-translate/angular-translate/blob/master/LICENSE). © 2014 [email protected] • angular-translate-handler-log (https://github.com/angular-translate/bower-angular-translate-handler-log) licensed under the terms of the MIT License (https://github.com/angular-translate/angular-translate/blob/master/LICENSE). © 2014 [email protected] • angular-translate-loader-static-files (https://github.com/angular-translate/bower-angular-translate-loader-static-files) licensed under the terms of the MIT License (https://github.com/angular-translate/angular-translate/blob/master/LICENSE). © 2014 [email protected] • Angular Google Maps (http://angular-ui.github.io/angular-google-maps/#!/) licensed under the terms of the MIT License (https://opensource.org/licenses/MIT). © 2013-2016 angular-google-maps • AngularJS (http://angularjs.org/) licensed under the terms of the MIT License (https://github.com/angular/angular.js/blob/master/LICENSE). © 2010-2016 Google, Inc. http://angularjs.org • AngularUI Bootstrap (http://angular-ui.github.io/bootstrap/) licensed under the terms of the MIT License (https://github.com/angular- ui/bootstrap/blob/master/LICENSE).
    [Show full text]
  • Focus Type Applies To
    Focus Type Applies To All Power Tools All All Power Tools Team Foundation Server All Templates Team Foundation Server All Integration Provider Team Foundation Server All Power Tools Team Foundation Server All Power Tools Team Foundation Server All Integration Provider Team Foundation Server Architecture Power Tools Visual Studio Architecture Power Tools Visual Studio Architecture Templates Visual Studio Architecture Integration Provider Oracle Architecture Templates Expression Builds Power Tools Team Foundation Server Builds Integration Provider Visual Studio Builds Power Tools Team Foundation Server Builds Templates Team Foundation Server Builds Power Tools Team Foundation Server Builds Power Tools Team Foundation Server Builds Power Tools Team Foundation Server Coding Power Tools Visual Studio Coding Integration Provider Visual Studio Coding Azure Integration Visual Studio Coding Integration Provider Dynamics CRM Coding Documentation Visual Studio Coding Integration Provider Visual Studio Coding Templates Visual Studio Coding Documentation Visual Studio Coding Templates SharePoint Coding Templates SharePoint Coding Integration Provider Visual Studio Coding Integration Provider Visual Studio Coding Templates SharePoint Coding Power Tools Visual Studio Coding Power Tools Visual Studio Coding Templates SharePoint Coding Templates Visual Studio Coding Templates Visual Studio Coding Templates Visual Studio Coding Power Tools Visual Studio Coding Integration Provider SharePoint Coding Templates Visual Studio Coding Templates SharePoint Coding
    [Show full text]
  • Functional SMT Solving: a New Interface for Programmers
    Functional SMT solving: A new interface for programmers A thesis submitted in Partial Fulfillment of the Requirements for the Degree of Master of Technology by Siddharth Agarwal to the DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING INDIAN INSTITUTE OF TECHNOLOGY KANPUR June, 2012 v ABSTRACT Name of student: Siddharth Agarwal Roll no: Y7027429 Degree for which submitted: Master of Technology Department: Computer Science & Engineering Thesis title: Functional SMT solving: A new interface for programmers Name of Thesis Supervisor: Prof Amey Karkare Month and year of thesis submission: June, 2012 Satisfiability Modulo Theories (SMT) solvers are powerful tools that can quickly solve complex constraints involving booleans, integers, first-order logic predicates, lists, and other data types. They have a vast number of potential applications, from constraint solving to program analysis and verification. However, they are so complex to use that their power is inaccessible to all but experts in the field. We present an attempt to make using SMT solvers simpler by integrating the Z3 solver into a host language, Racket. Our system defines a programmer’s interface in Racket that makes it easy to harness the power of Z3 to discover solutions to logical constraints. The interface, although in Racket, retains the structure and brevity of the SMT-LIB format. We demonstrate this using a range of examples, from simple constraint solving to verifying recursive functions, all in a few lines of code. To my grandfather Acknowledgements This project would have never have even been started had it not been for my thesis advisor Dr Amey Karkare’s help and guidance. Right from the time we were looking for ideas to when we finally had a concrete proposal in hand, his support has been invaluable.
    [Show full text]
  • Download Full CV (PDF)
    Full name : Lars Bjergner Mikkelsen. Practical experience: Company name: LARSMIKKELSEN.COM Aps Street & number: Husoddebakken 26 City: Horsens Zip code: 8700 Country: Denmark. Web address: http://www.larsmikkelsen.com Start date of employment: 27-July-2007. End date of employment: Not ended Job title: Owner at LARSMIKKELSEN.COM Aps. Job description: Freelance specialist Microsoft Dynamics Ax and .NET. Technical solution architect Dynamics Ax projects. Development in x++ and C#. Integration specialist between Dynamics Ax and .NET on several projects. SharePoint Enterprise Portal solutions on Dynmaics Ax 4.0 and ASP.NET based Dynamics Ax 2009 solution. Invented, designed and developed Advanced Ax Batch. Advanced Ax Batch is a Dynamics Ax and .NET based scheduler which are used by several companies for batch execution in Dynamcis Ax. Performance optimization Dynamics Ax solutions. Specialized knowledge: Highly experienced with performance optimization and trouble shooting of Dynamics Ax installations. Technologies mastered: Programming Languages (X++, C#) Programming Libraries (Axapta, .NET Framework) Component Technology (Axapta, .NET , COM, COM+, Active X) Databases (SQL server) Markup Languages (HTML, XML) Internet (SharePoint Enterprise Portal) Development tools (Axapta, Visual studio .NET) Protocols (HTTP, SOAP, TCP/IP) 1 Company name: Columbus IT Street & number: 3151 Airway, Building N-1 City: Costa Mesa, CA Zip code: 8240 Country: USA. Web address: http://www.columbusit.com Start date of employment: 23-May-2005. End date of employment: 27-July-2007. Job title: Technology / integration manager and solution architect. Job description: Responsible for technology and integration strategies. Technical solution architect on major Dynamics Ax projects. Development in x++ and C#. Technical responsible for worldwide mobility platform.
    [Show full text]
  • Approximations and Abstractions for Reasoning About Machine Arithmetic
    IT Licentiate theses 2016-010 Approximations and Abstractions for Reasoning about Machine Arithmetic ALEKSANDAR ZELJIC´ UPPSALA UNIVERSITY Department of Information Technology Approximations and Abstractions for Reasoning about Machine Arithmetic Aleksandar Zeljic´ [email protected] October 2016 Division of Computer Systems Department of Information Technology Uppsala University Box 337 SE-751 05 Uppsala Sweden http://www.it.uu.se/ Dissertation for the degree of Licentiate of Philosophy in Computer Science c Aleksandar Zeljic´ 2016 ISSN 1404-5117 Printed by the Department of Information Technology, Uppsala University, Sweden Abstract Safety-critical systems rely on various forms of machine arithmetic to perform their tasks: integer arithmetic, fixed-point arithmetic or floating-point arithmetic. Machine arithmetic can exhibit subtle dif- ferences in behavior compared to the ideal mathematical arithmetic, due to fixed-size of representation in memory. Failure of safety-critical systems is unacceptable, because it can cost lives or huge amounts of money, time and e↵ort. To prevent such incidents, we want to form- ally prove that systems satisfy certain safety properties, or otherwise discover cases when the properties are violated. However, for this we need to be able to formally reason about machine arithmetic. The main problem with existing approaches is their inability to scale well with the increasing complexity of systems and their properties. In this thesis, we explore two alternatives to bit-blasting, the core procedure lying behind many common approaches to reasoning about machine arithmetic. In the first approach, we present a general approximation framework which we apply to solve constraints over floating-point arithmetic. It is built on top of an existing decision procedure, e.g., bit-blasting.
    [Show full text]
  • Automated Theorem Proving
    CS 520 Theory and Practice of Software Engineering Spring 2021 Automated theorem proving April 22, 2020 Upcoming assignments • Week 12 Par4cipaon Ques4onnaire will be about Automated Theorem Proving • Final project deliverables are due Tuesday May 11, 11:59 PM (just before midnight) Programs are known to be error-prone • Capture complex aspects such as: • Threads and synchronizaon (e.g., Java locks) • Dynamically heap allocated structured data types (e.g., Java classes) • Dynamically stack allocated procedures (e.g., Java methods) • Non-determinism (e.g., Java HashSet) • Many input/output pairs • Challenging to reason about all possible behaviors of these programs Programs are known to be error-prone • Capture complex aspects such as: • Threads and synchronizaon (e.g., Java locks) • Dynamically heap allocated structured data types (e.g., Java classes) • Dynamically stack allocated procedures (e.g., Java methods) • Non-determinism (e.g., Java HashSet) • Many input/output pairs • Challenging to reason about all possible behaviors of these programs Overview of theorem provers Key idea: Constraint sa4sfac4on problem Take as input: • a program modeled in first-order logic (i.e. a set of boolean formulae) • a queson about that program also modeled in first-order logic (i.e. addi4onal boolean formulae) Overview of theorem provers Use formal reasoning (e.g., decision procedures) to produce as output one of the following: • sasfiable: For some input/output pairs (i.e. variable assignments), the program does sasfy the queson • unsasfiable: For all
    [Show full text]