skip to main content
research-article
Public Access

Verifying correct usage of context-free API protocols

Published:04 January 2021Publication History
Skip Abstract Section

Abstract

Several real-world libraries (e.g., reentrant locks, GUI frameworks, serialization libraries) require their clients to use the provided API in a manner that conforms to a context-free specification. Motivated by this observation, this paper describes a new technique for verifying the correct usage of context-free API protocols. The key idea underlying our technique is to over-approximate the program’s feasible API call sequences using a context-free grammar (CFG) and then check language inclusion between this grammar and the specification. However, since this inclusion check may fail due to imprecision in the program’s CFG abstraction, we propose a novel refinement technique to progressively improve the CFG. In particular, our method obtains counterexamples from CFG inclusion queries and uses them to introduce new non-terminals and productions to the grammar while still over-approximating the program’s relevant behavior.

We have implemented the proposed algorithm in a tool called CFPChecker and evaluate it on 10 popular Java applications that use at least one API with a context-free specification. Our evaluation shows that CFPChecker is able to verify correct usage of the API in clients that use it correctly and produces counterexamples for those that do not. We also compare our method against three relevant baselines and demonstrate that CFPChecker enables verification of safety properties that are beyond the reach of existing tools.

References

  1. Aws Albarghouthi, Arie Gurfinkel, Yi Li, Sagar Chaki, and Marsha Chechik. 2013. UFO: verification with interpolants and abstract interpretation. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 637-640.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Jonathan Aldrich, Joshua Sunshine, Darpan Saini, and Zachary Sparks. 2009. Typestate-oriented programming. In Proceedings of the 24th ACM SIGPLAN conference companion on Object oriented programming systems languages and applications. ACM, 1015-1022.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Chris Allan, Pavel Avgustinov, Aske Simon Christensen, Laurie J. Hendren, Sascha Kuzins, Ondrej Lhoták, Oege de Moor, Damien Sereni, Ganesh Sittampalam, and Julian Tibble. 2005. Adding trace matching with free variables to AspectJ. In OOPSLA.Google ScholarGoogle Scholar
  4. Rajeev Alur and Parthasarathy Madhusudan. 2004. Visibly pushdown languages. In Proceedings of the thirty-sixth annual ACM symposium on Theory of computing. ACM, 202-211.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Cyrille Artho and Willem Visser. 2019. Java Pathfinder at SV-COMP 2019 (Competition Contribution). In Tools and Algorithms for the Construction and Analysis of Systems, Dirk Beyer, Marieke Huisman, Fabrice Kordon, and Bernhard Stefen (Eds.). Springer International Publishing, Cham, 224-228.Google ScholarGoogle Scholar
  6. Steven Arzt, Sarah Nadi, Karim Ali, Eric Bodden, Sebastian Erdweg, and Mira Mezini. 2015. Towards secure integration of cryptographic software. In 2015 ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software (Onward!). ACM, 1-13.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Gogul Balakrishnan, Sriram Sankaranarayanan, Franjo Ivančić, and Aarti Gupta. 2009. Refining the Control Structure of Loops Using Static Analysis. In Proceedings of the Seventh ACM International Conference on Embedded Software (EMSOFT '09). ACM, New York, NY, USA, 49-58. https://doi.org/10.1145/1629335.1629343 Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Thomas Ball, Ella Bounimova, Byron Cook, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram K Rajamani, and Abdullah Ustuner. 2006. Thorough static analysis of device drivers. ACM SIGOPS Operating Systems Review 40, 4 ( 2006 ), 73-85.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Thomas Ball, Todd Millstein, and Sriram K. Rajamani. 2005. Polymorphic Predicate Abstraction. ACM Trans. Program. Lang. Syst. 27, 2 (March 2005 ), 314-343. https://doi.org/10.1145/1057387.1057391 Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Thomas Ball and Sriram K Rajamani. 2001. Automatically validating temporal safety properties of interfaces. In Proceedings of the 8th international SPIN workshop on Model checking of software. Springer-Verlag, 103-122.Google ScholarGoogle ScholarCross RefCross Ref
  11. Nels E Beckman, Duri Kim, and Jonathan Aldrich. 2011. An empirical study of object protocols in the wild. In European Conference on Object-Oriented Programming. Springer, 2-26.Google ScholarGoogle ScholarCross RefCross Ref
  12. Nels E Beckman, Aditya V Nori, Sriram K Rajamani, Robert J Simmons, Sai Deep Tetali, and Aditya V Thakur. 2010. Proofs from tests. IEEE Transactions on Software Engineering 36, 4 ( 2010 ), 495-508.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Kevin Bierhof and Jonathan Aldrich. 2007. Modular typestate checking of aliased objects. ACM SIGPLAN Notices 42, 10 ( 2007 ), 301-320.Google ScholarGoogle Scholar
  14. Kevin Bierhof, Nels E Beckman, and Jonathan Aldrich. 2009. Practical API protocol checking with access permissions. In European Conference on Object-Oriented Programming. Springer, 195-219.Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Régis Blanc, Ashutosh Gupta, Laura Kovács, and Bernhard Kragl. 2013. Tree interpolation in vampire. In International Conference on Logic for Programming Artificial Intelligence and Reasoning. Springer, 173-181.Google ScholarGoogle ScholarCross RefCross Ref
  16. Eric Bodden. 2010. Eficient hybrid typestate analysis by determining continuation-equivalent states. In Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering-Volume 1. ACM, 5-14.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Eric Bodden and Laurie Hendren. 2012. The Clara framework for hybrid typestate analysis. International Journal on Software Tools for Technology Transfer 14, 3 ( 2012 ), 307-326.Google ScholarGoogle ScholarCross RefCross Ref
  18. Dario Carotenuto, Aniello Murano, and Adriano Peron. 2007. 2-visibly pushdown automata. In International Conference on Developments in Language Theory. Springer, 132-144.Google ScholarGoogle ScholarCross RefCross Ref
  19. Krishnendu Chatterjee, Bhavya Choudhary, and Andreas Pavlogiannis. 2017. Optimal Dyck reachability for data-dependence and alias analysis. Proceedings of the ACM on Programming Languages 2, POPL ( 2017 ), 30.Google ScholarGoogle Scholar
  20. Feng Chen and Grigore Roşu. 2007. Mop: An Eficient and Generic Runtime Verification Framework. In Proceedings of the 22Nd Annual ACM SIGPLAN Conference on Object-oriented Programming Systems and Applications (OOPSLA '07). ACM, New York, NY, USA, 569-588. https://doi.org/10.1145/1297027.1297069 Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Hao Chen and David Wagner. 2002. MOPS: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM conference on Computer and communications security. ACM, 235-244.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Noam Chomsky. 1959. On certain formal properties of grammars. Information and control 2, 2 ( 1959 ), 137-167.Google ScholarGoogle Scholar
  23. Jürgen Christ, Jochen Hoenicke, and Alexander Nutz. 2012. SMTInterpol: An Interpolating SMT Solver. In Model Checking Software, Alastair Donaldson and David Parker (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 248-254.Google ScholarGoogle Scholar
  24. Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. 2000. Counterexample-guided abstraction refinement. In International Conference on Computer Aided Verification. Springer, 154-169.Google ScholarGoogle ScholarCross RefCross Ref
  25. Thomas A Henzinger, Ranjit Jhala, Rupak Majumdar, and Kenneth L McMillan. 2004b. Abstractions from proofs. In ACM SIGPLAN Notices, Vol. 39. ACM, 232-244.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. 2002. Lazy Abstraction. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '02). ACM, New York, NY, USA, 58-70. https://doi.org/10.1145/503272.503279 Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Thomas A Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. 2003. Software verification with BLAST. In International SPIN Workshop on Model Checking of Software. Springer, 235-239.Google ScholarGoogle ScholarCross RefCross Ref
  28. John E Hopcroft. 2008. Introduction to automata theory, languages, and computation. Pearson Education India.Google ScholarGoogle Scholar
  29. Graham Hughes and Tevfik Bultan. 2008. Interface grammars for modular software model checking. IEEE Transactions on Software Engineering 34, 5 ( 2008 ), 614-632.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Dongyun Jin, Patrick O'Neil Meredith, Choonghwan Lee, and Grigore Roşu. 2012. JavaMOP: Eficient parametric runtime monitoring framework. In Proceedings of the 34th International Conference on Software Engineering. IEEE Press, 1427-1430.Google ScholarGoogle ScholarCross RefCross Ref
  31. Pallavi Joshi and Koushik Sen. 2008. Predictive typestate checking of multithreaded java programs. In Proceedings of the 2008 23rd IEEE/ACM international conference on automated software engineering. IEEE Computer Society, 288-296.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Temesghen Kahsai, Philipp Rümmer, Huascar Sanchez, and Martin Schäf. 2016. JayHorn: A Framework for Verifying Java programs. In Computer Aided Verification, Swarat Chaudhuri and Azadeh Farzan (Eds.). Springer International Publishing, Cham, 352-358.Google ScholarGoogle Scholar
  33. Allen J Korenjak and John E Hopcroft. 1966. Simple deterministic languages. In 7th Annual Symposium on Switching and Automata Theory (swat 1966 ). IEEE, 36-46.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Patrick Lam, Viktor Kuncak, and Martin Rinard. 2004. Generalized typestate checking using set interfaces and pluggable analyses. ACM SIGPLAN Notices 39, 3 ( 2004 ), 46-55.Google ScholarGoogle Scholar
  35. Yuanbo Li, Qirun Zhang, and Thomas Reps. 2020. Fast Graph Simplification for Interleaved Dyck-Reachability. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2020 ). Association for Computing Machinery, New York, NY, USA, 780-793. https://doi.org/10.1145/3385412.3386021 Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In Defense of Soundiness: A Manifesto. Commun. ACM 58, 2 (Jan. 2015 ), 44-46. https://doi.org/10.1145/2644805 Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Zhenyue Long, Georgel Calin, Rupak Majumdar, and Roland Meyer. 2012. Language-Theoretic Abstraction Refinement. In Fundamental Approaches to Software Engineering, Juan de Lara and Andrea Zisman (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 362-376.Google ScholarGoogle Scholar
  38. Ravichandhran Madhavan, Mikaël Mayer, Sumit Gulwani, and Viktor Kuncak. 2015. Automating grammar comparison. In Acm Sigplan Notices, Vol. 50. ACM, 183-200.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Michael Martin, Benjamin Livshits, and Monica S. Lam. 2005. Finding Application Errors and Security Flaws Using PQL: A Program Query Language. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications (OOPSLA '05). ACM, New York, NY, USA, 365-383. https://doi.org/10.1145/1094811. 1094840 Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Kenneth L McMillan. 2005. Applications of Craig interpolants in model checking. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 1-12.Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Kenneth L McMillan. 2006. Lazy abstraction with interpolants. In International Conference on Computer Aided Verification. Springer, 123-136.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Patrick O'Neil Meredith, Dongyun Jin, Feng Chen, and Grigore Roşu. 2010. Eficient monitoring of parametric context-free patterns. Automated Software Engineering 17, 2 ( 2010 ), 149-180.Google ScholarGoogle Scholar
  43. Tmima Olshansky and Amir Pnueli. 1977. A direct algorithm for checking equivalence of LL (k) grammars. Theoretical Computer Science 4, 3 ( 1977 ), 321-349.Google ScholarGoogle Scholar
  44. Michael Pradel, Ciera Jaspan, Jonathan Aldrich, and Thomas R Gross. 2012a. Statically checking API protocol conformance with mined multi-object specifications. In Proceedings of the 34th International Conference on Software Engineering. IEEE Press, 925-935.Google ScholarGoogle ScholarCross RefCross Ref
  45. Michael Pradel, Ciera Jaspan, Jonathan Aldrich, and Thomas R Gross. 2012b. Statically checking API protocol conformance with mined multi-object specifications. In 2012 34th International Conference on Software Engineering (ICSE). IEEE, 925-935.Google ScholarGoogle ScholarCross RefCross Ref
  46. Thomas Reps. 2000. Undecidability of context-sensitive data-dependence analysis. ACM Transactions on Programming Languages and Systems (TOPLAS) 22, 1 ( 2000 ), 162-186.Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Thomas Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages. ACM, 49-61.Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Johannes Späth, Karim Ali, and Eric Bodden. 2019. Context-, Flow-, and Field-sensitive Data-flow Analysis Using Synchronized Pushdown Systems. Proc. ACM Program. Lang. 3, POPL, Article 48 ( Jan. 2019 ), 29 pages. https: //doi.org/10.1145/3290361 Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Manu Sridharan and Rastislav Bodík. 2006. Refinement-based context-sensitive points-to analysis for Java. In ACM SIGPLAN Notices, Vol. 41. ACM, 387-400.Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Manu Sridharan, Stephen J. Fink, and Rastislav Bodik. 2007. Thin Slicing. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '07). Association for Computing Machinery, New York, NY, USA, 112-122. https://doi.org/10.1145/1250734.1250748 Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Manu Sridharan, Denis Gopan, Lexin Shan, and Rastislav Bodík. 2005. Demand-driven points-to analysis for Java. In ACM SIGPLAN Notices, Vol. 40. ACM, 59-76.Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Robert E Strom and Shaula Yemini. 1986. Typestate: A programming language concept for enhancing software reliability. IEEE Transactions on Software Engineering 1 ( 1986 ), 157-171.Google ScholarGoogle Scholar
  53. Hao Tang, Xiaoyin Wang, Lingming Zhang, Bing Xie, Lu Zhang, and Hong Mei. 2015. Summary-Based Context-Sensitive Data-Dependence Analysis in Presence of Callbacks. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '15). Association for Computing Machinery, New York, NY, USA, 83-95. https://doi.org/10.1145/2676726.2676997 Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Aditya Thakur, Junghee Lim, Akash Lal, Amanda Burton, Evan Driscoll, Matt Elder, Tycho Andersen, and Thomas Reps. 2010. Directed Proof Generation for Machine Code. In Proceedings of the 22Nd International Conference on Computer Aided Verification (CAV'10). Springer-Verlag, Berlin, Heidelberg, 288-305. https://doi.org/10.1007/978-3-642-14295-6_27 Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. S. L. Torre, P. Madhusudan, and G. Parlato. 2007. A Robust Class of Context-Sensitive Languages. In 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007 ). 161-170. https://doi.org/10.1109/LICS. 2007.9 Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Salvatore La Torre, Margherita Napoli, and Gennaro Parlato. 2013. On Multi-stack Visibly Pushdown Languages.Google ScholarGoogle Scholar
  57. Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 1999. Soot-a Java bytecode optimization framework. In Proceedings of the 1999 conference of the Centre for Advanced Studies on Collaborative research. IBM Press, 13.Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Mark Weiser. 1981. Program Slicing. In Proceedings of the 5th International Conference on Software Engineering (ICSE '81). IEEE Press, 439-449.Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Guoqing Xu, Atanas Rountev, and Manu Sridharan. 2009. Scaling CFL-reachability-based points-to analysis using contextsensitive must-not-alias analysis. In European Conference on Object-Oriented Programming. Springer, 98-122.Google ScholarGoogle Scholar
  60. Hengbiao Yu, Zhenbang Chen, Ji Wang, Zhendong Su, and Wei Dong. 2018. Symbolic verification of regular properties. In Proceedings of the 40th International Conference on Software Engineering. ACM, 871-881.Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Qirun Zhang, Michael R Lyu, Hao Yuan, and Zhendong Su. 2013. Fast algorithms for Dyck-CFL-reachability with applications to alias analysis. In ACM SIGPLAN Notices, Vol. 48. ACM, 435-446.Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Qirun Zhang and Zhendong Su. 2017. Context-Sensitive Data-Dependence Analysis via Linear Conjunctive Language Reachability. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2017 ). Association for Computing Machinery, New York, NY, USA, 344-358. https://doi.org/10.1145/3009837.3009848 Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Verifying correct usage of context-free API protocols

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!