DOCSLIB.ORG

The ASTREE Static Analysis Tool

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The ASTREE Static Analysis Tool Abstract Interpretation « The Astrée Static Analysis Tool » There are two fundamental concepts in computer science (and in sciences in general) : – Abstraction : to reason on complex systems Patrick Cousot – Approximation : to make effective undecidable com- École normale supérieure putations 45 rue d’Ulm, 75230 Paris cedex 05, France [email protected] www.di.ens.fr/~cousot These concepts are formalized by abstract interpretation References [POPL ’77] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction ES_PASS Workshop — Berlin — 16–17 October 2007 or approximation of fixpoints. In 4th ACM POPL. [Thesis ’78] P. Cousot. Méthodes itératives de construction et d’approximation de points fixes d’opérateurs monotones sur un treillis, analyse sémantique de programmes. Thèse ès sci. math. Grenoble, march 1978. [POPL ’79] P. Cousot & R. Cousot. Systematic design of program analysis frameworks. In 6th ACM POPL. ES_PASS Workshop, 16-17/10/2007 — 1 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 3 — ľ P. Cousot 1. Informal Introduction to Ab- stract Interpretation Principle of Abstraction ES_PASS Workshop, 16-17/10/2007 — 2 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 4 — ľ P. Cousot Operational semantics Test/Debugging is Unsafe x(t) x(t) t t ES_PASS Workshop, 16-17/10/2007 — 5 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 7 — ľ P. Cousot Safety property Bounded Model Checking is Unsafe x(t) x(t) t t ES_PASS Workshop, 16-17/10/2007 — 6 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 8 — ľ P. Cousot Over-Approximation (Cont’d) x(t) Soundness and Incompleteness t ES_PASS Workshop, 16-17/10/2007 — 9 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 11 — ľ P. Cousot Abstract Interpretation is Sound Soundness Requirement: Erroneous Abstraction 1 x(t) x(t) t t 1 This situation is always excluded in static analysis by abstract interpretation. ES_PASS Workshop, 16-17/10/2007 — 10 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 12 — ľ P. Cousot Soundness Requirement: Erroneous Abstraction 2 x(t) 2. The Astrée static analyzer http://www.astree.ens.fr/ t 2 This situation is always excluded in static analysis by abstract interpretation. ES_PASS Workshop, 16-17/10/2007 — 13 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 15 — ľ P. Cousot Imprecision ) False Alarms Project Members x(t) Bruno Blanchet 3 Patrick Cousot Radhia Cousot Jérôme Feret Laurent Mauborgne Antoine Miné David Monniaux 4 Xavier Rival t 3 Nov. 2001 —– Nov. 2003. 4 Nov. 2001 —– Aug. 2007. ES_PASS Workshop, 16-17/10/2007 — 14 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 16 — ľ P. Cousot – with (cont’d) - union NEW [Min06a] - pointer arithmetics & casts NEW [Min06a] Programs Analyzed by Astrée – without - dynamic memory allocation and their Semantics - recursive function calls - unstructured/backward branching - conflicting side effects - C libraries, system calls (parallelism) Such limitations are quite common for embedded safety-critical software. ES_PASS Workshop, 16-17/10/2007 — 17 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 19 — ľ P. Cousot Programs analysed by Astrée The Class of Considered Periodic Synchronous Programs volatile input, state and output variables; – Application Domain: large safety critical embedded declare initialize state and output variables; real-time synchronous software for non-linear control loop forever of very complex control/command systems. - read volatile input variables, – C programs: - compute output and state variables, - write to output variables; - with __ASTREE_wait_for_clock (); ´ basic numeric datatypes, structures and arrays end loop ´ pointers (including on functions), Task scheduling is static: ´ floating point computations – Requirements: the only interrupts are clock ticks; ´ tests, loops and function calls – Execution time of loop body less than a clock tick, ´ limited branching (forward goto, break, continue) as verified by the aiT WCET Analyzers [1FHL] +0 . ES_PASS Workshop, 16-17/10/2007 — 18 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 20 — ľ P. Cousot Concrete Operational Semantics – International norm of C (ISO/IEC 9899:1999) – restricted by implementation-specific behaviors depend- ing upon the machine and compiler (e.g. representa- tion and size of integers, IEEE 754-1985 norm for floats and doubles) Specification Proved by Astrée – restrictedby user-defined programming guidelines (such as no modular arithmetic for signed integers, even though this might be the hardware choice) – restricted by program specific user requirements (e.g. assert, execution stops on first runtime error 5) 5 semantics of C unclear after an error, equivalent if no alarm ES_PASS Workshop, 16-17/10/2007 — 21 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 23 — ľ P. Cousot Different Classes of Run-time Errors Implicit Specification: Absence of Runtime Errors 1. Errors terminating the execution 6. Astrée warns and continues by taking into account only the executions that did not trigger the error. – No violation of the norm of C (e.g. array index out of 2. Errors not terminating the execution with predictable outcome 7. bounds, division by zero) Astrée warns and continues with worst-case assumptions. – No implementation-specific undefined behaviors (e.g. 3. Errors not terminating the execution with unpredictable maximum short integer is 32767, NaN) 8 Astrée outcome . warns and continues by taking into ac- – No violation of the programming guidelines (e.g. static count only the executions that did not trigger the error. variables cannot be assumed to be initialized to 0) ) Astrée is sound with respect to C standard, unsound with – No violation of the programmer assertions (must all respect to C implementation, unless no false alarm. be statically verified). 6 floating-point exceptions e.g. (invalid operations, overflows, etc.) when traps are activated 7 e.g. overflows over signed integers resulting in some signed integer. 8 e.g. memory corruptionss. ES_PASS Workshop, 16-17/10/2007 — 22 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 24 — ľ P. Cousot Simple congruences x = 19 mod 77 y y = 20 mod 99 Examples of General Purpose Abstractions Used by Astrée Non-relational x Best abstraction. 10 Ph. Granger. Static Analysis of Arithmetical Congruences. Int. J. Comput. Math. 30, 1989, pp. 165–190. ES_PASS Workshop, 16-17/10/2007 — 25 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 27 — ľ P. Cousot Intervals 9 Intervals & Simple Congruences x 2 [19; 77] y 2 [20; 07] % cat -n congruence.c 1 /* congruence.c */ 2 int main() Non-relational 3 { int X; 4 X = 0; Best abstraction. 5 while (X <= 128) 6 { X = X + 4; }; 7 __ASTREE_log_vars((X)); 8 } % astree congruence.c –no-relational –exec-fn main |& egrep "(WARN)|(X in)" direct = <integers (intv+cong+bitfield+set): X in {132} /\ Top > % 9 P. Cousot & R. Cousot. Static determination of dynamic properties of programs. Proc. 2nd Int. Symp. on Programming, Dunod, 1976. ES_PASS Workshop, 16-17/10/2007 — 26 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 28 — ľ P. Cousot Symbolic abstract domain [Min04a, Min04b] Boolean Relations for Boolean Control – Code Sample: – Interval analysis: if x 2 [a;b] and y 2 [c;d] then x`y 2 /* boolean.c */ B [a`d; b`c] so if 0x;2 [ 100] then x`x 2 [`100; 100]!!! typedef enum {F=0,T=1} BOOL; T F BOOL B; – The symbolic abstract domain propagates the sym- void main () { B0 B0 T F T F bolic values of variables and performs simplifications; unsigned int X, Y; while (1) { Y Y Y – Must maintain the maximal possible rounding error ... B = (X == 0); X X X for float computations (overestimated with intervals); ... % cat -n x-x.c 1 void main () { int X, Y; if (!B) { 2 __ASTREE_known_fact(((0 <= X) && (X <= 100))); Y = 1 / X; The boolean relation abstract do- 3 Y = (X - X); } main is parameterized by the height 4 __ASTREE_log_vars((Y)); 5 } ... of the decision tree (an analyzer astree –exec-fn main –no-relational x-x.c astree –exec-fn main x-x.c } option) and the abstract domain at Call [email protected]:1:5-x-x.c:1:9: Call [email protected]:1:5-x-x.c:1:9: } the leafs <interval: Y in [-100, 100]> <interval: Y in {0}> <symbolic: Y = (X -i X)> ES_PASS Workshop, 16-17/10/2007 — 29 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 31 — ľ P. Cousot Octagons (Automatic) Parameterization 1 » x » 9 – All abstract domains of Astrée are parameterized, 8 x + y » 77 e.g. > <> 1 » y » 9 - variable packing for octagones and decision trees, x ` y » 99 - partition/merge program points, > :> - loop unrollings, Weakly relational - thresholds in widenings, . ; Best abstraction. – End-users can either parameterize by hand (analyzer options, directives in the code), or – choose the automatic parameterization (default options, 11 A. Miné. A New Numerical Abstract Domain Based on Difference-Bound Matrices. PADO’2001. directives for pattern-matched predefined program sche- LNCS 2053, pp. 155–172. Springer 2001. See the The Octagon Abstract Domain Library on http://www.di.ens.fr/~mine/oct/ mata). ES_PASS Workshop, 16-17/10/2007 — 30 — ľ P. Cousot ES_PASS Workshop, 16-17/10/2007 — 32 — ľ P. Cousot Static Analysis with Astrée % cat -n modulo.c 1 int main () { 2 int x,y; 3 x = -2147483647 / -1; 4 y = ((-x) -1) / -1; 5 __ASTREE_log_vars((x,y)); 6 } Modular Arithmetic 7 % astree –exec-fn main –unroll 0 modulo.c\ |& egrep -A 1 "(<integers)|(WARN)" modulo.c:4.4-18::[call#main@1:]: WARN: signed int arithmetic range {2147483648} not included in [-2147483648, 2147483647] <integers (intv+cong+bitfield+set): y in [-2147483648, 2147483647] /\ Top, x in {2147483647} /\ {2147483647} > Astrée signals the overflow and goes on with an unkown value. ES_PASS Workshop, 16-17/10/2007 — 33 — ľ P.
Load more

Recommended publications
  • Abstract Interpretation
    Colloquium d’informatique de l’UPMC Sorbonne Universités Abstract Interpretation 29 septembre 2016, 18:00, Amphi 15 4 Place Jussieu, 75005 Paris Patrick Cousot [email protected]@yu.e1du cs.nyu.edu/~pcousot Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 1 © P. Cousot This is an abstract interpretation Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 2 © P. Cousot Scientific research Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 3 © P. Cousot Scientific research • In Mathematics/Physics: trend towards unification and synthesis through universal principles • In Computer science: trend towards dispersion and parcellation through a ever-growing collection of local ad-hoc techniques for specific applications An exponential process, will stop! Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 4 © P. Cousot Example: reasoning on computational structures WCET Operational Security protocole Systems biology Axiomatic verification semantics semantics analysis Abstraction Dataflow Model Database refinement Confidentiality checking analysis analysis query Type Partial Obfuscation Dependence Program evaluation inference synthesis Denotational analysis Separation Effect logic Grammar systems semantics CEGAR analysis Theories Program Termination Statistical Trace combination transformation proof semantics model-checking Interpolants Abstract Shape Code analysis
    [Show full text]
  • Precise and Scalable Static Program Analysis of NASA Flight Software
    Precise and Scalable Static Program Analysis of NASA Flight Software G. Brat and A. Venet Kestrel Technology NASA Ames Research Center, MS 26912 Moffett Field, CA 94035-1000 650-604-1 105 650-604-0775 brat @email.arc.nasa.gov [email protected] Abstract-Recent NASA mission failures (e.g., Mars Polar Unfortunately, traditional verification methods (such as Lander and Mars Orbiter) illustrate the importance of having testing) cannot guarantee the absence of errors in software an efficient verification and validation process for such systems. Therefore, it is important to build verification tools systems. One software error, as simple as it may be, can that exhaustively check for as many classes of errors as cause the loss of an expensive mission, or lead to budget possible. Static program analysis is a verification technique overruns and crunched schedules. Unfortunately, traditional that identifies faults, or certifies the absence of faults, in verification methods cannot guarantee the absence of errors software without having to execute the program. Using the in software systems. Therefore, we have developed the CGS formal semantic of the programming language (C in our static program analysis tool, which can exhaustively analyze case), this technique analyses the source code of a program large C programs. CGS analyzes the source code and looking for faults of a certain type. We have developed a identifies statements in which arrays are accessed out Of static program analysis tool, called C Global Surveyor bounds, or, pointers are used outside the memory region (CGS), which can analyze large C programs for embedded they should address.
    [Show full text]
  • Lecture Notes in Computer Science 1145 Edited by G
    Lecture Notes in Computer Science 1145 Edited by G. Goos, J. Hartmanis and J. van Leeuwen Advisory Board: W. Brauer D. Gries J. Stoer Radhia Cousot David A. Schmidt (Eds.) Static Analysis Third International Symposium, SAS '96 Aachen, Germany, September 24-26, 1996 Proceedings ~ Springer Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands Volume Editors Radhia Cousot l~cole Polytechnique, Laboratoire d'Inforrnatique F-91128 Palaiseau Cedex, France E-mail: radhia.cousot @lix.polytechnique.fr David A. Schmidt Kansas State University, Department of Computing and Information Sciences Manhattan, KS 66506, USA E-maih [email protected] Cataloging-in-Publication data applied for Die Deutsche Bibliothek - CIP-Einheitsaufnahme Static analysis : third international symposium ; proceedings / SAS '96, Aachen, Germany, September 24 - 26, 1996. Radhia Cousot ; David A. Schmidt (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ; Budapest ; Hong Kong ; London ; Milan ; Paris ; Santa Clara ; Singapore ; Tokyo : Springer, 1996 (Lecture notes in computer science ; Vol. 1145) ISBN 3-540-61739-6 NE: Cousot, Radhia [Hrsg.]; SAS <3, 1996, Aachen>; GT CR Subject Classification (1991): D.1, D.2.8, D.3.2-3,F.3.1-2, F.4.2 ISSN 0302-9743 ISBN 3-540-61739-6 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer -Verlag.
    [Show full text]
  • On Abstraction in Software Verification ‹
    On Abstraction in Software Verification ‹ Patrick Cousot1 and Radhia Cousot2 1 École normale supérieure, Département d'informatique, 45 rue d'Ulm, 75230 Paris cedex 05, France [email protected] www.di.ens.fr/~cousot/ 2 CNRS & École polytechnique, Laboratoire d'informatique, 91128 Palaiseau cedex, France [email protected] lix.polytechnique.fr/~rcousot Abstract. We show that the precision of static abstract software check- ing algorithms can be enhanced by taking explicitly into account the ab- stractions that are involved in the design of the program model/abstract semantics. This is illustrated on reachability analysis and abstract test- ing. 1 Introduction Most formal methods for reasoning about programs (such as deductive meth- ods, software model checking, dataflow analysis) do not reason directly on the trace-based operational program semantics but on an approximate model of this semantics. The abstraction involved in building the model of the program seman- tics is usually left implicit and not discussed. The importance of this abstraction appears when it is made explicit for example in order to discuss the soundness and (in)completeness of temporal-logic based verification methods [1, 2]. The purpose of this paper is to discuss the practical importance of this ab- straction when designing static software checking algorithms. This is illustrated on reachability analysis and abstract testing. 2 Transition Systems We follow [3, 4] in formalizing a hardware or software computer system by a transition system xS; t; I; F; Ey with set of states S, transition relation t Ď pS ˆ Sq, initial states I Ď S, erroneous states E Ď S, and final states F Ď S.
    [Show full text]
  • Caterina Urban
    CATERINA URBAN DATE AND PLACE OF BIRTH March 9th, 1987, Udine, Italy NATIONALITY Italian ADDRESS École Normale Supérieure, 45 rue d’Ulm, 75005 Paris, France EMAIL [email protected] WEBPAGE https://caterinaurban.github.io DBLP http://dblp.org/pers/hd/u/Urban:Caterina GOOGLE SCHOLAR http://scholar.google.it/citations?user=4-u1_HIAAAAJ CURRENT POSITION • INRIA, Paris, France — Research Scientist (Chargé de Recherche), Feb 2019 - Now EDUCATION • École Normale Supérieure, Paris, France — Ph.D. in Computer Science, Dec 2011 - July 2015 Subject: Static Analysis by Abstract Interpretation of Functional Temporal Properties of Programs Advisors: Radhia Cousot (Emeritus Research Director, CNRS, Paris, France) and Antoine Miné (Research Scientist, CRNS, Paris, France) Final mark: summa cum laude • Menlo College, Atherton, USA — Fifth Summer School on Formal Techniques, May 2015 • Università degli Studi di Udine, Italy — Master’s degree in Computer Science, Fall 2009 - Fall 2011 Final mark: summa cum laude • Università degli Studi di Udine, Italy — Bachelor’s degree in Computer Science, Fall 2006 - Fall 2009 Final mark: summa cum laude GRANTS • Industrial Grant, Fujitsu: “Formal Verification Techniques for Machine Learning Systems”, Oct 2021 - Sep 2022 • Industrial Grant, Airbus: “State of the Art in Formal Methods for Artificial Intelligence”, 2020 • Principal Investigator, ETH Career Seed Grant, ETH Zurich: “Static Analysis for Data Science Applications”, 30kCHF, Jan 2017 - Dec 2017 AWARDS AND HONORS • Invited Paper at IJCAI 2016 - Sister Conference
    [Show full text]
  • Patrick Cousot
    Abstract Interpretation: From Theory to Tools Patrick Cousot cims.nyu.edu/~pcousot/ pc12ou)(sot@cims$*.nyu.edu ICSME 2014, Victoria, BC, Canada, 2014-10-02 1 © P. Cousot Bugs everywhere! Ariane 5.01 failure Patriot failure Mars orbiter loss Russian Proton-M/DM-03 rocket (overflow error) (float rounding error) (unit error) carrying 3 Glonass-M satellites (unknown programming error :) unsigned int payload = 18; /* Sequence number + random bytes */ unsigned int padding = 16; /* Use minimum padding */ /* Check if padding is too long, payload and padding * must not exceed 2^14 - 3 = 16381 bytes in total. */ OPENSSL_assert(payload + padding <= 16381); /* Create HeartBeat message, we just use a sequence number * as payload to distuingish different messages and add * some random stuff. * - Message Type, 1 byte * - Payload Length, 2 bytes (unsigned int) * - Payload, the sequence number (2 bytes uint) * - Payload, random bytes (16 bytes uint) * - Padding */ buf = OPENSSL_malloc(1 + 2 + payload + padding); p = buf; /* Message Type */ *p++ = TLS1_HB_REQUEST; /* Payload length (18 bytes here) */ s2n(payload, p); /* Sequence number */ s2n(s->tlsext_hb_seq, p); /* 16 random bytes */ RAND_pseudo_bytes(p, 16); p += 16; /* Random padding */ RAND_pseudo_bytes(p, padding); ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); Heartbleed (buffer overrun) ICSME 2014, Victoria, BC, Canada, 2014-10-02 2 © P. Cousot Bugs everywhere! Ariane 5.01 failure Patriot failure Mars orbiter loss Russian Proton-M/DM-03 rocket (overflow error) (float rounding error) (unit error) carrying 3 Glonass-M satellites (unknown programming error :) unsigned int payload = 18; /* Sequence number + random bytes */ unsigned int padding = 16; /* Use minimum padding */ /* Check if padding is too long, payload and padding * must not exceed 2^14 - 3 = 16381 bytes in total.
    [Show full text]
  • Abstract Interpretation and Application to Logic Programs ∗
    Abstract Interpretation and Application to Logic Programs ∗ Patrick Cousot Radhia Cousot LIENS, École Normale Supérieure LIX, École Polytechnique 45, rue d’Ulm 91128 Palaiseau cedex (France) 75230 Paris cedex 05 (France) [email protected] [email protected] Abstract. Abstract interpretation is a theory of semantics approximation which is usedfor the con­ struction of semantics-basedprogram analysis algorithms (sometimes called“data flow analysis”), the comparison of formal semantics (e.g., construction of a denotational semantics from an operational one), the design of proof methods, etc. Automatic program analysers are used for determining statically conservative approximations of dy­ namic properties of programs. Such properties of the run-time behavior of programs are useful for debug­ ging (e.g., type inference), code optimization (e.g., compile-time garbage collection, useless occur-check elimination), program transformation (e.g., partial evaluation, parallelization), andeven program cor­ rectness proofs (e.g., termination proof). After a few simple introductory examples, we recall the classical framework for abstract interpretation of programs. Starting from a standardoperational semantics formalizedas a transition system, classes of program properties are first encapsulatedin collecting semantics expressedas fixpoints on partial orders representing concrete program properties. We consider invariance properties characterizing the descendant states of the initial states (corresponding to top/down or forward analyses), the ascendant states of the final states (corresponding to bottom/up or backward analyses) as well as a combination of the two. Then we choose specific approximate abstract properties to be gatheredabout program behaviors andexpress them as elements of a poset of abstract properties. The correspondencebetween concrete andabstract properties is establishedby a concretization andabstraction function that is a Galois connection formalizing the loss of information.
    [Show full text]
  • 1 Employment 2 Education 3 Grants
    STEPHEN F. SIEGEL Curriculum Vitæ Department of Computer and Information Sciences email: [email protected] 101 Smith Hall web: http://vsl.cis.udel.edu/siegel.html University of Delaware tel: (302) 831{0083, fax: (302) 831{8458 Newark, DE 19716 citizenship: U.S.A. 1 Employment Associate Professor, Department of Computer and Information Sciences and Department of Math- ematical Sciences, University of Delaware, September 2012 to present Assistant Professor, Department of Computer and Information Sciences and Department of Math- ematical Sciences, University of Delaware, September 2006 to August 2012 Senior Research Scientist, Laboratory for Advanced Software Engineering Research, Department of Computer Science, University of Massachusetts Amherst, August 2001 to August 2006 Senior Software Engineer, Laboratory for Advanced Software Engineering Research, Department of Computer Science, University of Massachusetts Amherst, August 1998 to July 2001 Visiting Assistant Professor, Department of Mathematics, University of Massachusetts Amherst, September 1996 to August 1998 Visiting Assistant Professor, Department of Mathematics, Northwestern University, September 1993 to June 1996 2 Education Ph.D., Mathematics, University of Chicago, August 1993 (Advisor: Prof. Jonathan L. Alperin) M.Sc., Mathematics, Oxford University, June 1989 B.A., Mathematics, University of Chicago, June 1988 3 Grants • Principal Investigator, National Science Foundation Award CCF-0953210 Supplement 001, Extension of TASS to Chapel, June 1, 2011 { May 31, 2012. Award amount: $99,333. • Principal Investigator, National Science Foundation Award CNS-0958512, Computing Research Infras- tructure program, II-New: System Acquisition for the Development of Scalable Parallel Algorithms for Scientific Computing, May 1, 2010 { April 30, 2013. Co-PIs: Peter B. Monk, Douglas M. Swany, and Krzysztof Szalewicz.
    [Show full text]
  • Reliability and Safety of Critical Device Software Systems Neeraj Kumar Singh
    Reliability and Safety of Critical Device Software Systems Neeraj Kumar Singh To cite this version: Neeraj Kumar Singh. Reliability and Safety of Critical Device Software Systems. Other [cs.OH]. Université Henri Poincaré - Nancy 1, 2011. English. NNT : 2011NAN10129. tel-01746287 HAL Id: tel-01746287 https://hal.univ-lorraine.fr/tel-01746287 Submitted on 29 Mar 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. AVERTISSEMENT Ce document est le fruit d'un long travail approuvé par le jury de soutenance et mis à disposition de l'ensemble de la communauté universitaire élargie. Il est soumis à la propriété intellectuelle de l'auteur. Ceci implique une obligation de citation et de référencement lors de l’utilisation de ce document. D’autre part, toute contrefaçon, plagiat, reproduction illicite encourt une poursuite pénale. ➢ Contact SCD Nancy 1 : [email protected] LIENS Code de la Propriété Intellectuelle. articles L 122. 4 Code de la Propriété Intellectuelle. articles L 335.2- L 335.10 http://www.cfcopies.com/V2/leg/leg_droi.php http://www.culture.gouv.fr/culture/infos-pratiques/droits/protection.htm UFR STMIA École Doctorale IAEM Lorraine Fiabilité et Sûreté des Systèmes Informatiques Critiques Thèse présentée et soutenue publiquement le 15 novembre 2011 pour l’obtention du Doctorat de l’Université Henri Poincaré - Nancy 1 (Mention : informatique) par Neeraj Kumar SINGH Composition du jury : Rapporteurs : Prof.
    [Show full text]
  • Project-Team Abstraction Abstract Interpretation
    INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE Project-Team Abstraction Abstract Interpretation Paris - Rocquencourt Theme : Programs, Verification and Proofs c t i v it y ep o r t 2009 Table of contents 1. Team .................................................................................... 1 2. Overall Objectives ........................................................................ 1 2.1. Overall Objectives 1 2.2. Highlights of the Year 2 3. Scientific Foundations .....................................................................2 3.1. Abstract Interpretation Theory 2 3.2. Formal Verification by Abstract Interpretation 2 3.3. Advanced Introductions to Abstract Interpretation 3 4. Application Domains ......................................................................3 4.1. Certification of Safety Critical Software 3 4.2. Security Protocols 4 4.3. Abstraction of Biological Cell Signaling Networks 4 5. Software ................................................................................. 5 5.1. The Astrée Static Analyzer 5 5.2. The Apron Numerical Abstract Domain Library 5 5.3. Translation Validation 6 5.4. ProVerif 6 5.5. CryptoVerif 7 6. New Results .............................................................................. 8 6.1. Space Software Validation using Abstract Interpretation 8 6.2. Why does Astrée scale up? 8 6.3. Design of the Apron Library 8 6.4. Hierarchy of Semantics by Abstract Interpretation and Formal Proofs 9 6.5. Semantics Design by Abstract Interpretation 9 6.5.1. Bi-inductive Definitions and Bifinitary Semantics of the Eager Lambda-Calculus 9 6.5.2. Abstract Semantics of Resolution-Based Logic Languages 9 6.6. Verification of Security Protocols in the Formal Model 10 6.6.1. Book Chapter on Using Horn Clauses for the Verification of Security Protocols 10 6.6.2. Extensions of ProVerif 10 6.7. Verification of Security Protocols in the Computational Model 11 6.7.1.
    [Show full text]
  • Introduction to Abstract Interpretation
    Introduction to Abstract Interpretation Bruno Blanchet D´epartement d'Informatique Ecole´ Normale Sup´erieure, Paris and Max-Planck-Institut fur¨ Informatik [email protected] November 29, 2002 Abstract We present the basic theory of abstract interpretation, and its application to static program analysis. The goal is not to give an exhaustive view of abstract interpretation, but to give enough background to make papers on abstract interpretation more under- standable. Notations: λx.M denotes the function that maps x to M. f[x 7! M] denotes the function f extended so that x is mapped to M. If f was already defined at x, the new binding replaces the old one. 1 Introduction The goal of static analysis is to determine runtime properties of programs without executing them. (Scheme of an analyzer: Program ! Analyzer ! Properties.) Here are some examples of properties can be proved by static analysis: • For optimization: { Dead code elimination { Constant propagation { Live variables { Stack allocation (more complex) • For verification: { Absence of runtime errors: division by zero, square root of negative numbers, overflows, array index out of bounds, pointer dereference outside objects, . { Worst-case execution time (see Wilhelm's work with his team and AbsInt) { Security properties (secrecy, authenticity of protocols, . ) 1 However, most interesting program properties are undecidable. The basic result to show undecidability is the undecidability of the halting problem. Proof By contradiction. Assume that there exists Halt(P,E) returning Yes when P termi- nates on entry E, No otherwise. Consider P'(P) = if Halt(P,P) then loop else stop. • If P'(P') loops, Halt(P',P') = true, so P'(P') stops: contradiction.
    [Show full text]
  • A Casual Introduction to Abstract Interpretation Examples of Abstractions
    CMACS Workshop on Systems Biology and Formals Methods (SBFM'12) Abstractions of Dora Maar by Picasso A casual introduction to Abstract Interpretation NYU, 29–30 March 2012 Patrick Cousot cs.nyu.edu/~pcousot di.ens.fr/~cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 1 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 3 © P. Cousot Pixelation of a photo by Jay Maisel Examples of Abstractions www.petapixel.com/2011/06/23/how-much-pixelation-is-needed-before-a-photo-becomes-transformed/ P. Cousot & R. Cousot. A gentle introduction to formal verification of computer systems by abstract interpretation. In Logics and Languages for Reliability and Security, J. Esparza, O. Grumberg, & Image credit: Photograph by Jay Maisel M. Broy (Eds), NATO Science Series III: Computer and Systems Sciences, © IOS Press, 2010, Pages 1—29. CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 2 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 4 © P. Cousot II.P. Combination of abstract domains Abstract interpretation-based tools usually use several different abstract domains, since the design of a complex one is best decomposed into a combination of simpler abstract domains. Here are a few abstract 2 An old idea... domain examples used inNumerical the Astree´ static abstractions analyzer: in Astrée y y y 20 000 years old picture in a spanish cave: x x x Collecting semantics:1, 5 Intervals:20 Simple congruences:24 partial traces x [a, b] x a[b] ⌃ ⌅ y y y t x x The concrete is not always well-known! Octagons:25 Ellipses:26 Exponentials:27 x y a x2 + by2 axy d abt y(t) abt ± ± ⇥ − ⇥ − ⇥ ⇥ CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 5 © P.
    [Show full text]