Embed Size (px)
Citation preview
Some Improvements for More Precise Model Checking
Zhi Zhang
State Key Laboratory for Novel Software Technology
Nanjing University, China
Outline
Introduction
Model checking is an automatic technique for verifying finite-state systems . It exhaustively checks a finite-state model of a system for violation of safety property formally specified as a formula in some temporal logic, an automaton, or a collection of assertions .
The checked system
Safety property
Finite-state model
Safety model
Model checker Results
Introduction
Existing model checkers either cannot be applied to large-scale systems because of state explosion or trade precision for scalability like MOPS. To overcome these problems, we have developed an extended tool based on MOPS, called EMOPS, to greatly increase MOPS’ precision and maintain its scalability.
Alias Analysis
Model Checker
Path Verificationby BLAST
falsetrue
EMOPS
Counterexample path
Path Instrumentation
C Program Spurious PathWarningSecurity Model
Compaction
Program Slice
EMOPS overview
Dataflow analysis Counterexample
path verification
Model checker
Contributions:1.Combination of control flow and dataflow information.2.Extend the model checking algorithm3.Counterexample path verification
Alias Analysis
Model Checker
Path Verificationby BLAST
falsetrue
EMOPS
Counterexample path
Path Instrumentation
C Program Spurious PathWarningSecurity Model
Compaction
Program Slice
Some improvements taken in EMOPS
Dataflow analysis
Program slice under the guide of the security model
Rules for program slice
Purpose of program slice
Get safety-relevant functions and reduce the cost of dataflow analysis
Alias Analysis
Model Checker
Path Verificationby BLAST
falsetrue
EMOPS
Counterexample path
Path Instrumentation
C Program Spurious PathWarningSecurity Model
Compaction
Program Slice
Dataflow analysis
Demand-driven dataflow analysis
Rules for dataflow analysis
Purpose
The demand-driven alias analysis is done on the safety-relevant functions in bottom-up order to further reduce the cost of dataflow analysis.
Some improvements taken in EMOPS
Alias Analysis
Model Checker
Path Verificationby BLAST
falsetrue
EMOPS
Counterexample path
Path Instrumentation
C Program Spurious PathWarningSecurity Model
Compaction
Program Slice
Dataflow analysis
1. Construct call graph2. For each leaf node nd Demand-Driven Alias Analysis
(nd)3. For each node nd in the loop Fix Point Computation (nd)
Algorithm for dataflow analysis
Some improvements taken in EMOPS
Alias Analysis
Model Checker
Path Verificationby BLAST
falsetrue
EMOPS
Counterexample path
Path Instrumentation
C Program Spurious PathWarningSecurity Model
Compaction
Program Slice
Model checker
Extended rules for PDA
For an edge in the program’s CFG that is from a program point p1 to p2 with a statement i:( 1 ) If i is not a function call<s1, p1, obj> → <s2, p2, obj>( 2 ) If i is a call to a function f<si, p1, actual_obj> → <si, p2p3, formal_obj>( 3 ) If i is a return statement from a function f<s1, fe, obj> → <s1, ε, ε>
Extended algorithm for model checker
Some improvements taken in EMOPS
Alias Analysis
Model Checker
Path Verificationby BLAST
falsetrue
EMOPS
Counterexample path
Path Instrumentation
C Program Spurious PathWarningSecurity Model
Compaction
Program Slice
Counterexample path verification
To improve precision of model checking results and reduce false positives
Purpose
we employ the model checker BLAST to verify the path’s feasibility
The way for path verification
( 1 ) Path instrumentation( 2 ) Path verification by BLAST
Steps of path verification
Some improvements taken in EMOPS
Experimental results
Experimental results of EMOPS and MOPS
Vulnerability Application MOPS EMOPSReal/Total CE-paths
Path filter
Double Freecvs-1.11.4 NO YES 1(2) 1
krb5-1.4.1 YES YES 1(1) 0
Memory Leak
squid-2.4.STABLE3 NO YES 1(4) 2
wget-1.10.2 NO YES 1(9) 6
which-2.16 NO YES 1(5) 2
Buffer Overflow
gzip-1.2.4 NO YES 1(1) 0
ncompress-4.2.4 NO YES 1(1) 0
sendmail-8.7.5 NO YES 1(2) 1
wu-ftpd-2.4.2-beta-18-vr8 NO YES 1(3) 2
Experimental results
Results of program slice
Application Before program slice After program slice Compaction rate
cvs-1.11.4 733 315 42.97%
krb5-1.4.1 2439 225 9.23%
squid-2.4.STABLE3 1838 132 7.18%
wget-1.10.2 593 102 17.2
which-2.16 18 5 27.78%
gzip-1.2.4 96 10 10.42%
ncompress-4.2.4 15 2 13.33%
sendmail-8.7.5 415 197 47.47%
wu-ftpd-2.4.2-beta-18-vr8 221 83 37.56%
Experimental results Comparison between alias analysis based on points-to
sets and demand-driven method and their cost (ms)
ApplicationTraditional dataflow analysis
(ms)Demand-driven dataflow analysis
(ms)Improvement rate
cvs-1.11.4 1632.65 1225.39 7.85%
krb5-1.4.1 1558.3 1120.24 6.73%
squid-2.4.STABLE3 360.89 67.28 17.78%
wget-1.10.2 270.43 175.93 8.74%
which-2.16 171.39 124.56 13.37%
gzip-1.2.4 122.41 94.33 3.67%
ncompress-4.2.4 63.05 49.25 5.93%
sendmail-8.7.5 1327.47 1111.36 14.47%
wu-ftpd-2.4.2-beta-18-vr8 177.33 119.83 7.30%
Conclusion and future work
(1) combination of control flow and dataflow information(2) path verification
we describe a tool EMOPS which improves MOPS’s performance from two aspects:
In EMOPS, as most of program analysis tools, the safety model for the temporal safety property has to be constructed manually. In our future work, we will try to make this process automatic through mining techniques to automatically get specification about the temporal safety property from source code.
Future work
