Abstract
We present a framework for computing context-free language reachability properties when parts of the program are missing. Our framework infers candidate specifications for missing program pieces that are needed for verifying a property of interest, and presents these specifications to a human auditor for validation. We have implemented this framework for a taint analysis of Android apps that relies on specifications for Android library methods. In an extensive experimental study on 179 apps, our tool performs verification with only a small number of queries to a human auditor.
Supplemental Material
- A. Aiken, S. Bugrara, I. Dillig, T. Dillig, B. Hackett, P. Hawkins. An overview of the Saturn project. In PASTE, 43--48, 2007. Google Scholar
Digital Library
- K. Ali, O. Lhoták. Averroes: whole-program analysis without the whole program. In ECOOP, 2013. Google Scholar
Digital Library
- R. Alur, P. Černy, P. Madhusudan, W. Nam. Synthesis of interface specifications for Java classes. In POPL, 2005. Google Scholar
Digital Library
- G. Ammons, R. Bodík, J. Larus. Mining specifications. In POPL, 2002. Google Scholar
Digital Library
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. L. Traon, D. Octeau, P. McDaniel. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI, 2014. Google Scholar
Digital Library
- T. Ball, S. Rajamani. The SLAM project: debugging system software via static analysis. In POPL, 2002. Google Scholar
Digital Library
- N. Beckman, A. Nori. Probabilistic, modular and scalable inference of typestate specifications. In PLDI, 2011. Google Scholar
Digital Library
- W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel, A. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, 2010. Google Scholar
Digital Library
- A. P. Fuchs, A. Chaudhuri, J. S. Foster. SCanDroid: automated security certification of Android applications. In IEEE Symposium on Security and Privacy, 2010.Google Scholar
- D. Greenfieldboyce, J. S. Foster. Type qualifier inference in Java. In OOPSLA, 2007. Google Scholar
Digital Library
- J. Kodumal, A. Aiken. Banshee: a scalable constraint-based analysis toolkit. In SAS, 2005. Google Scholar
Digital Library
- J. Kodumal, A. Aiken. Regularly annotated set constraints. In PLDI, 2007. Google Scholar
Digital Library
- J. Kodumal, A. Aiken. The set constraint/CFL reachability connection in practice. In PLDI, 2004. Google Scholar
Digital Library
- D. Knuth. A generalization of Dijkstra's algorithm. In Information Processing Letters, 6(1):1--5, 1977.Google Scholar
Cross Ref
- T. Kremenek, P. Twohey, G. Back, A. Ng, D. Engler. From uncertainty to belief: inferring the specification within. In OSDI, 2006. Google Scholar
Digital Library
- B. Livshits, A. V. Nori, S. K. Rajamani, A. Banerjee. Merlin: specification inference for explicit information flow problems. In PLDI, 2009. Google Scholar
Digital Library
- B. Livshits, M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In USENIX Security Symposium, 2005. Google Scholar
Digital Library
- B. Livshits, M. S. Lam. Tracking pointers with path and context sensitivity for bug detection in C programs. In FSE, 2003. Google Scholar
Digital Library
- D. Melski, T. Reps. Interconvertibility of a class of set constraints and context-free language reachability. In Theoretical Computer Science, 248(1):29--98, 2000. Google Scholar
Digital Library
- M. Naik, A. Aiken, J. Whaley. Effective static race detection for Java. In PLDI, 2006. Google Scholar
Digital Library
- J. W. Nimmer, M. D. Ernst. Automatic generation of program specifications. In ISSTA, 2002. Google Scholar
Digital Library
- M. K. Ramanathan, A. Grama, S. Jagannathan. Static specification inference using predicate mining. In PLDI, 2007. Google Scholar
Digital Library
- T. Reps. Program analysis via graph reachability. In ILPS, 1997. Google Scholar
Digital Library
- T. Reps, S. Horwitz, M. Sagiv. Precise interprocedural data flow analysis via graph reachability. In POPL, 1995. Google Scholar
Digital Library
- S. Shoham, E. Yahav, S. Fink, M. Pistoia. Static specification mining using automata-based abstractions. In ISSTA, 2007. Google Scholar
Digital Library
- M. Sridharan, D. Gopan, L. Shan, R. Bodik. Demand-driven points-to analysis for Java. In OOPSLA, 2005. Google Scholar
Digital Library
- M. Sridharan, S. Artzi, M. Pistoia, S. Guarnieri, O. Tripp, R. Berg. F4F: taint analysis of framework-based web applications. In OOPSLA, 2011. Google Scholar
Digital Library
- M. Sridharan, R. Bodik. Refinement-based context-sensitive points-to analysis for Java. In PLDI, 2006. Google Scholar
Digital Library
- O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, O. Weisman. TAJ: effective taint analysis of web applications. In PLDI, 2009. Google Scholar
Digital Library
- R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, V. Sundaresan. Soot: a Java bytecode optimization framework. In CASCON, 1999.Google Scholar
- J. Whaley, M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In OOPSLA, 2004. Google Scholar
Digital Library
- Y. Xie, A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX Security Symposium, 2006. Google Scholar
Digital Library
- J. Yang, D. Evans, D. Bhardwaj, T. Bhat, M. Das. Perracotta: mining temporal API rules from imperfect traces. In ICSE, 2006. Google Scholar
Digital Library
- H. Zhu, T. Dillig, I. Dillig. Automated inference of library specifications for source-sink property verification. In APLAS, 2013. Google Scholar
Digital Library
Index Terms
Specification Inference Using Context-Free Language Reachability
Recommendations
SVF: interprocedural static value-flow analysis in LLVM
CC 2016: Proceedings of the 25th International Conference on Compiler ConstructionThis paper presents SVF, a tool that enables scalable and precise interprocedural Static Value-Flow analysis for C programs by leveraging recent advances in sparse analysis. SVF, which is fully implemented in LLVM, allows value-flow construction and ...
Precise interprocedural dataflow analysis via graph reachability
POPL '95: Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesThe paper shows how a large class of interprocedural dataflow-analysis problems can be solved precisely in polynomial time by transforming them into a special kind of graph-reachability problem. The only restrictions are that the set of dataflow facts ...
Incorrectness logic
Program correctness and incorrectness are two sides of the same coin. As a programmer, even if you would like to have correctness, you might find yourself spending most of your time reasoning about incorrectness. This includes informal reasoning that ...







Comments