Colloquium d’informatique de l’UPMC Sorbonne Universités Abstract Interpretation 29 septembre 2016, 18:00, Amphi 15 4 Place Jussieu, 75005 Paris Patrick Cousot [email protected]@yu.e1du cs.nyu.edu/~pcousot Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 1 © P. Cousot This is an abstract interpretation Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 2 © P. Cousot Scientific research Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 3 © P. Cousot Scientific research • In Mathematics/Physics: trend towards unification and synthesis through universal principles • In Computer science: trend towards dispersion and parcellation through a ever-growing collection of local ad-hoc techniques for specific applications An exponential process, will stop! Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 4 © P. Cousot Example: reasoning on computational structures WCET Operational Security protocole Systems biology Axiomatic verification semantics semantics analysis Abstraction Dataflow Model Database refinement Confidentiality checking analysis analysis query Type Partial Obfuscation Dependence Program evaluation inference synthesis Denotational analysis Separation Effect logic Grammar systems semantics CEGAR analysis Theories Program Termination Statistical Trace combination transformation proof semantics model-checking Interpolants Abstract Shape Code analysis Invariance Symbolic contracts Integrity model proof execution analysis checking Malware Probabilistic Quantum entanglement Bisimulation detection verification detection SMT solvers Code refactoring Parsing Type theory Steganography Tautology testers Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 5 © P. Cousot Steganography Example: reasoning on computational structures WCET Operational Security protocole Systems biology Axiomatic verification semantics semantics analysis Abstraction Dataflow Model Database refinement Confidentiality checking analysis analysis query Type Partial Obfuscation Dependence Program evaluation inference synthesis Denotational analysis Separation Effect logic Grammar systems semantics CEGAR analysis Theories Program Termination Statistical Trace combination transformation proof semantics model-checking Interpolants Abstract Shape Code analysis Invariance Symbolic contracts Integrity model proof execution analysis checking Malware Probabilistic Quantum entanglement Bisimulation detection verification detection SMT solvers Code refactoring Parsing Type theory Steganography Tautology testers Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 6 © P. Cousot Example: reasoning on computational structures Abstract interpretation WCET Operational Security protocole Systems biology Axiomatic verification semantics semantics analysis Abstraction Dataflow Model Database refinement Confidentiality checking analysis analysis query Type Partial Obfuscation Dependence Program evaluation inference synthesis Denotational analysis Separation Effect logic Grammar systems semantics CEGAR analysis Theories Program Termination Statistical Trace combination transformation proof semantics model-checking Interpolants Abstract Shape Code analysis Invariance Symbolic contracts Integrity model proof execution analysis checking Malware Probabilistic Quantum entanglement Bisimulation detection verification detection SMT solvers Code refactoring Parsing Type theory Steganography Tautology testers Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 7 © P. Cousot Intuition 1 Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 8 © P. Cousot Concrete Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 9 © P. Cousot Abstraction 1 Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 10 © P. Cousot Abstraction 2 Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 11 © P. Cousot Concretization 2 … Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 12 © P. Cousot Concretization 1 … Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 13 © P. Cousot Abstract interpretations �1 �2 �2 �1 … … Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 14 © P. Cousot Abstract interpretations �1 �2 �1;�2;�2;�1 �1;�2 �2 �1 …�2 �1 … ; Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 15 © P. Cousot Intuition 2 Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 16 © P. Cousot ... Height Individual heights Fingerprint ... Eye color DNA min, max , Phone metadata Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 17 © P. Cousot Interval abstraction • Example: interval abstraction (also called box abstraction) y My � my x mx Mx Set of points Interval abstraction [mx,Mx]x[my,My] Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 18 © P. Cousot Intuition 3 Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 19 © P. Cousot A C program and one of its executions #include <stdio.h> Enter two integers: x = 0, y = 0 int main() x = 3, y = -2 { x = 6, y = -4 int x, y; printf("Enter two integers: "); x = 9, y = 6 scanf("%d %d",&x, &y); x = -12, y = 4 /* 1: */ while ((x != 6) || ( y != 0)) { x = -9, y = 2 printf("x = %d, y = %d\n",x,y); /* 2: */ x = x + 3; x = -6, y = 0 /* 3: */ if (x > 10) x = -x; x = -3, y = -2 /* 4: */ y = y - 2; x = 0, y = -4 /* 5: */ if (y < -5) y = -y; } x = 3, y = 6 /* 6: */ printf("x = %d, y = %d\n",x,y); x = 6, y = 4 } x = 9, y = 2 x = -12, y = 0 x = -9, y = -2 x = -6, y = -4 x = -3, y = 6 x = 0, y = 4 x = 3, y = 2 x = 6, y = 0 Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 20 © P. Cousot Graphical representation of the execution (I) 3 15 9 x = 9, y = 6 4 10 x = -12, y = 4 16 5 17 11 12 18 0 x 6 x = 0, y = 0 x = 6, y = 0 1 13 7 2 14 8 Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 21 © P. Cousot Graphical representation of the execution (2) x, y x = 0, y = 0 x = 6, y = 0 0 18 t Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 22 © P. Cousot Semantics Formalize what it means to run a program state trajectory time Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 23 © P. Cousot Properties (Collecting semantics) Formalize what you are interested to know about program behaviors Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 24 © P. Cousot Specification Formalize what you are interested to prove about program behaviors Forbiden zone Possible trajectories Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 25 © P. Cousot Abstraction Abstract away all information on program behaviors irrelevant to the proof Zone interdite Possible trajectories Abstraction of the trajectories Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 26 © P. Cousot Verification The proof is fully automatic Forbidden zone Possible trajectories Abstraction of the trajectories Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 27 © P. Cousot Soundness Never forget any possible case so the abstract proof is correct in the concrete Forbidden zone Possible trajectories Abstraction of the trajectories Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 28 © P. Cousot Unsound methods: testing Try a few cases Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 29 © P. Cousot Unsound methods: bounded model checking Simulate the beginning of all executions (so called bounded model-checking) Forbidden zone Possible trajectories Bounded model-checking Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 30 © P. Cousot Unsound methods: soundiness Many static analysis tools are unsound (e.g. Coverity, etc.) so inconclusive Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 31 © P. Cousot Alarms When abstract proofs may fail while concrete proofs would succeed Forbidden zone Alarm !!! Possible trajectories Error or false alarm ? By soundness an alarm must be raised for this over-approximation! Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 32 © P. Cousot True alarm The abstract alarm may correspond to a concrete error Forbidden zone Alarm !!! Possible trajectories Error Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 33 © P. Cousot False alarm The abstract alarm may correspond to no concrete error (false negative) Forbidden zone