Is Program Analysis The Silver Bullet Against Software Bugs? by Karim Ali

Transcript

1. Karim Ali University of Alberta @karimhamdanali Is Program Analysis The

   Silver Bullet Against Software Bugs? Papers We Love Conference — 2019

2. @karimhamdanali Software Bugs !2

3. @karimhamdanali Software Bugs Invalid SSL/TLS connections earned Apple Most Epic

   Fail [Pwnie ’14] !3 goto fail; goto fail; Source: CVE-2014-1266

4. @karimhamdanali © Copyright 2014, Philip Koopman. CC Attribution 4.0 International

   license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010 Software Bugs Errors in ABS software led to fatal accidents and cost Toyota $3 Billion !4 Source: Philip Koopman, CMU

5. @karimhamdanali Software Bugs Unencrypted, unauthenticated connections to some medical implants

   !5 Source: Department of Homeland Security

6. @karimhamdanali Program Analysis !6 goto fail; goto fail; © Copyright

   2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010

7. @karimhamdanali What is Program Analysis? !7

8. @karimhamdanali Program Analysis !8 A way of reasoning about the

   runtime behaviour of a program without necessarily executing it

9. @karimhamdanali Rice’s Theorem “For any interesting property Pr of the

   behaviour of a program, it is impossible to write an analysis that can decide for every program p whether Pr holds for p.” !9 Image: CooperToons

10. @karimhamdanali By definition, program analysis is undecidable !10

11. @karimhamdanali Not quite… !11 Image: J. K. Simmons / Whiplash

12. @karimhamdanali Program Analysis •Settle for an approximation of Pr •Make

    it as “good” as possible p analysis yes p analysis no !12 few Image: Jenna Mullins / ENews

13. @karimhamdanali Program Analysis !13 Code Navigation Code Recommenders Code Refactoring

    Constant Propagation Dead Code Elimination Static Inlining Parallelization

14. @karimhamdanali Program Analysis in Practice !14 Image: Minion Special /

    YouTube

15. @karimhamdanali Program Analysis in Practice !15 Scalability Usability Precision

16. @karimhamdanali Collaborators •Erick Ochoa (UAlberta) •Spencer Killen (UAlberta) •Kristen Newbury

    (UAlberta) •Revan MacQueen (UAlberta) •Daniil Tiganov (UAlberta) •Jeff Cho (UAlberta) •Johannes Späth (Paderborn) •Lisa Nguyen (Paderborn) •Stefan Krüger (Paderborn) •Ondřej Lhoták (Waterloo) •Frank Tip (Northeastern) •Eric Bodden (Paderborn & Fraunhofer IEM) •Mira Mezini (TU Darmstadt) •Julian Dolby (IBM Research) •Andrew Craik (IBM) •Mark Stoodley (IBM) •Vijay Sundaresan (IBM) •Ben Livshits (Imperial College London & Brave) •Emerson Murphy-Hill (Google) •Justin Smith (Lafayette College) •José Nelson Amaral (UAlberta) •James Wright (UAlberta) •Kirsten Thommes (Paderborn) •René Fahr (Paderborn) !16

17. @karimhamdanali Collaborators •Erick Ochoa (UAlberta) •Spencer Killen (UAlberta) •Kristen Newbury

    (UAlberta) •Revan MacQueen (UAlberta) •Daniil Tiganov (UAlberta) •Jeff Cho (UAlberta) •Johannes Späth (Paderborn) •Lisa Nguyen (Paderborn) •Stefan Krüger (Paderborn) •Ondřej Lhoták (Waterloo) •Frank Tip (Northeastern) •Eric Bodden (Paderborn & Fraunhofer IEM) •Mira Mezini (TU Darmstadt) •Julian Dolby (IBM Research) •Andrew Craik (IBM) •Mark Stoodley (IBM) •Vijay Sundaresan (IBM) •Ben Livshits (Imperial College London & Brave) •Emerson Murphy-Hill (Google) •Justin Smith (Lafayette College) •José Nelson Amaral (UAlberta) •James Wright (UAlberta) •Kirsten Thommes (Paderborn) •René Fahr (Paderborn) !17

18. @karimhamdanali 2010 !18

19. @karimhamdanali 2010 !19

20. @karimhamdanali 2010 !20 Where do I begin?

21. @karimhamdanali 2010 !21 Where do I begin? Start with this

    paper!
22. None
23. None

24. @karimhamdanali … so what is a Call Graph? !24

25. @karimhamdanali Call Graph !25

26. @karimhamdanali Call Graph !26 class Circle extends Shape { void

    draw() { ... } } class Square extends Shape { void draw() { ... } } Shape s; if(*) s = new Circle(); else s = new Square(); s.draw();

27. @karimhamdanali Call Graph !27 class Circle extends Shape { void

    draw() { ... } } class Square extends Shape { void draw() { ... } } Shape s; if(*) s = new Circle(); else s = new Square(); s.draw(); required by every inter-procedural analysis

28. @karimhamdanali Let’s build a Call Graph !28 public class Main

    { public static void main(String[] args) { Shape s; if (args.length > 2) s = new Circle(); else s = new Square(); s.draw(); } } abstract class Shape { abstract void draw(); } class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } }

29. @karimhamdanali Let’s build a Call Graph !29 public class Main

    { public static void main(String[] args) { Shape s; if (args.length > 2) s = new Circle(); else s = new Square(); s.draw(); } } abstract class Shape { abstract void draw(); } class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } } Main.main()

30. @karimhamdanali Let’s build a Call Graph !30 public class Main

    { public static void main(String[] args) { Shape s; if (args.length > 2) s = new Circle(); else s = new Square(); s.draw(); } } abstract class Shape { abstract void draw(); } class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } } Main.main() Circle.<init>()

31. @karimhamdanali Let’s build a Call Graph !31 public class Main

    { public static void main(String[] args) { Shape s; if (args.length > 2) s = new Circle(); else s = new Square(); s.draw(); } } abstract class Shape { abstract void draw(); } class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } } Main.main() Shape.<init>() Circle.<init>() Object.<init>()

32. @karimhamdanali Let’s build a Call Graph !32 public class Main

    { public static void main(String[] args) { Shape s; if (args.length > 2) s = new Circle(); else s = new Square(); s.draw(); } } abstract class Shape { abstract void draw(); } class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } } Main.main() Shape.<init>() Square.<init>() Circle.<init>() Object.<init>()

33. @karimhamdanali Let’s build a Call Graph !33 public class Main

    { public static void main(String[] args) { Shape s; if (args.length > 2) s = new Circle(); else s = new Square(); s.draw(); } } abstract class Shape { abstract void draw(); } class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } } Main.main() Shape.<init>() Square.<init>() Circle.<init>() Square.draw() Circle.draw() Object.<init>()
34. None

35. @karimhamdanali Let’s build a Call Graph for javac !35

36. @karimhamdanali Let’s build a Call Graph for javac !36 •

    Java 1.4 • 0.5 MB of class files • 8 GB of RAM • HOURS! IRIS Reasoner

37. @karimhamdanali Let’s build a Call Graph for javac !37 •

    Java 1.4 • 0.5 MB of class files • 8 GB of RAM • HOURS! IRIS Reasoner Exception in thread “main" java.lang.OutOfMemoryError: Java heap space

38. @karimhamdanali Let’s build a Call Graph for "Hello, World!" !38

39. @karimhamdanali !39 public class HelloWorld { public static void main(String[]

    args) { System.out.println("Hello, World!"); } }

40. @karimhamdanali !40 public class HelloWorld { public static void main(String[]

    args) { System.out.println("Hello, World!"); } } • > 30 seconds • > 5,000 reachable methods • > 23,000 call edges

41. @karimhamdanali Hello, World! !41

42. @karimhamdanali !42

43. None

44. @karimhamdanali Alone? !44

45. @karimhamdanali Not Alone! !45 I'd like to ignore library code

    what about callbacks? this would be unsound but better than nothing ignore non-application program elements (e.g., system libraries)? whole-program analysis always pulls in the world for completeness. The problem is that the world is fairly large I am NOT interested in those

46. @karimhamdanali Partial-Program Analysis !46

47. @karimhamdanali Sound and Precise Partial-Program Analysis !47

48. @karimhamdanali !48

49. @karimhamdanali !49 Ideal Call Graph Image: CooperToons

50. @karimhamdanali !50 Ideal Call Graph Whole-Program Call Graph

51. @karimhamdanali !51 Ideal Call Graph Whole-Program Call Graph Incomplete Call

    Graph (unsound)

52. @karimhamdanali !52 Ideal Call Graph Whole-Program Call Graph Incomplete Call

    Graph (unsound) Conservative Call Graph (highly imprecise)

53. @karimhamdanali !53 Ideal Call Graph Whole-Program Call Graph Incomplete Call

    Graph (unsound) Conservative Call Graph (highly imprecise) Partial-Program Call Graph

54. @karimhamdanali The Separate Compilation Assumption !54 Source: Ali and Lhoták.

    Application-Only Call Graph Construction. [ECOOP '12]

55. @karimhamdanali The Separate Compilation Assumption All of the library classes

    can be compiled in the absence of the application classes. !55

56. @karimhamdanali Constraints 1. Class Hierarchy 2. Class Instantiation 3. Local

    Variables 4. Method Calls !56 5. Field Access 6. Array Access 7. Static Initialization 8. Exception Handling

57. @karimhamdanali Constraints 1. Class Hierarchy 2. Class Instantiation 3. Local

    Variables 4. Method Calls !57 5. Field Access 6. Array Access 7. Static Initialization 8. Exception Handling

58. @karimhamdanali Library Points-to Set (LPT) !58 Application Library pt(v1) =

    o1 o3 pt(v2) = o2 o3 pt(v3) = o1 o4 LPT = o1 o2 o3 o5

59. @karimhamdanali Library Callbacks !59 Application Library class C { m();

    } class B extends L { m(); } class A extends L { m(); } calls class L { m(); } 1 LPT = A C 2

60. @karimhamdanali !60 Source: Ali and Lhoták. Averroes: Whole-Program Analysis Without

    The Whole Program. [ECOOP '13]

61. @karimhamdanali JAR Placeholder Library SCA JAR !61

62. @karimhamdanali Evaluation !62 600× smaller library 7× faster analysis 6×

    less memory Precise & Sound

63. @karimhamdanali !63

64. @karimhamdanali !64 Application Library Scalability

65. @karimhamdanali Program Analysis in Practice !65 Precision

66. @karimhamdanali Program Analysis in Practice !66 Scalability Precision

67. @karimhamdanali Security-Related Static Analyses !67

68. @karimhamdanali Security-Related Static Analyses !68 public void main(String[] args) {

    Object x = null; Object y = x; y.toString(); } Null-Pointer Analysis

69. @karimhamdanali Security-Related Static Analyses !69 public void main(String[] args) {

    String x = args[0]; String y = x; SQL.execute(''SELECT * FROM User where userId='' + y ); } Taint Analysis

70. @karimhamdanali Security-Related Static Analyses !70 public void main(String[] args) {

    File x = new File(); File y = x; y.close(); } Typestate Analysis

71. @karimhamdanali Static Data-Flow Analysis !71

72. @karimhamdanali Precise Static Data-Flow Analysis !72

73. @karimhamdanali Precise Static Data-Flow Analysis !73 public void main(String[] args)

    { File x = new File(); this.z = x; foo(x); x.close(); foo(x); } public void foo(File y){ y.write(...); } public void foo(){ this.a.write(...); }

74. @karimhamdanali Precise Static Data-Flow Analysis !74 public void main(String[] args)

    { File x = new File(); this.z = x; foo(x); x.close(); foo(x); } public void foo(File y){ y.write(...); } public void foo(){ this.a.write(...); } Context-Sensitive

75. @karimhamdanali Precise Static Data-Flow Analysis !75 public void main(String[] args)

    { File x = new File(); this.z = x; foo(x); x.close(); foo(x); } public void foo(File y){ y.write(...); } public void foo(){ this.a.write(...); } Field-Sensitive

76. @karimhamdanali Precise Static Data-Flow Analysis !76 x z y Pushdown

    Automaton main() foo(x) bar(y) foo(z) Stack of Calls f h g f Stack of Fields Context-Sensitive ∧ Field-Sensitive

77. @karimhamdanali Precise Static Data-Flow Analysis !77 x z y Pushdown

    Automaton main() foo(x) bar(y) foo(z) Stack of Calls f h g f Stack of Fields Undecidable Reps [TOPLAS 2000] Source: Thomas W. Reps. Undecidability of Context-Sensitive Data-Dependence Analysis. [TOPLAS '00] Context-Sensitive ∧ Field-Sensitive

78. @karimhamdanali Precise Static Data-Flow Analysis !78 x z y Pushdown

    Automaton main() foo(x) bar(y) foo(z) Stack of Calls f h g f Stack of Fields Context-Sensitive ∧ Field-Sensitive

79. @karimhamdanali Precise Static Data-Flow Analysis !79 x z Pushdown Automaton

    main() foo(x) bar(y) foo(z) Stack of Calls k-limitting Access Paths/Graphs y.f y.g y.f.h y.f.g Context-Sensitive ∧ Field-Sensitive

80. @karimhamdanali Precise Static Data-Flow Analysis !80 x z Pushdown Automaton

    main() foo(x) bar(y) foo(z) Stack of Calls k-limitting Access Paths/Graphs y.f y.g y.f.h y.f.g Context-Sensitive ∧ Field-Sensitive What’s a good value for k? k-limitting yields too many false positives

81. @karimhamdanali Synchronized Pushdown Systems (SPDS) !81 Source: Späeth et al.

    Context-, Flow-, and Field-Sensitive Data-Flow Analysis using Synchronized Pushdown Systems. [POPL '19]

82. @karimhamdanali Synchronized Pushdown Systems !82 Context-Sensitive ∧ Field-Sensitive

83. @karimhamdanali Synchronized Pushdown Systems !83 Context-Sensitive Field-Sensitive Context-Sensitive ∧ Field-Sensitive

    ∧ ⊑ over-approximation Never encountered in practice

84. @karimhamdanali Synchronized Pushdown Systems !84 Context-Sensitive Field-Sensitive ∧ Pushdown System

    of Calls x z y main() foo(x) bar(y) foo(z) Stack of Calls Variables f h g f Stack of Fields Pushdown System of Fields x z y Variables

85. @karimhamdanali Synchronized Pushdown Systems !85 Context-Sensitive Field-Sensitive ∧ Pushdown System

    of Calls x z y main() foo(x) bar(y) foo(z) Stack of Calls Variables f h g f Stack of Fields Pushdown System of Fields x z y Variables Decidable

86. @karimhamdanali Synchronized Pushdown Systems !86 Context-Sensitive Field-Sensitive ∧ Pushdown System

    of Calls x z y main() foo(x) bar(y) foo(z) Stack of Calls Variables f h g f Stack of Fields Pushdown System of Fields x z y Variables Decidable No k-limitting

87. @karimhamdanali SPDS Evaluation !87

88. @karimhamdanali SPDS Evaluation !88 Analysis Time (seconds) 0 5 10

    15 20 25 30 35 40 45 50 Number of Field Accesses 2 4 6 8 10 12 14 16 18 Access Path (k=4) Access Path (k=3) Access Path (k=2) Access Path (k=1) SPDS Eclipse

89. @karimhamdanali … but is it useful in practice? !89

90. @karimhamdanali CogniCrypt.org Eclipse Foundation !90

91. @karimhamdanali 68% are insecure (Maven has > 2.7 million artifacts)

    !91

92. @karimhamdanali 95% are insecure (10,000 most recent Android apps on

    AndroZoo) !92

93. @karimhamdanali Symantec CVE-2018-12240 !93

94. @karimhamdanali !94 Precision SPDS

95. @karimhamdanali Program Analysis in Practice !95 Usability

96. None
97. None

98. @karimhamdanali !98

99. @karimhamdanali 99 precise responsive seamless tailored Sources: Johnson et al.

    Why Don’t Software Developers Use Static Analysis Tools to Find Bugs? [ICSE '13] Sources: Xiao et al. Social Influences on Secure Development Tool Adoption: Why Security Tools Spread. [CSCW '14] Sources: Smith et al. Questions Developers Ask While Diagnosing Potential Security Vulnerabilities with Static Analysis. [FSE '15]

100. @karimhamdanali Just-In-Time Static Analysis !100

101. @karimhamdanali Just-In-Time Static Analysis (Cheetah) !101 https://github.com/secure-software-engineering/cheetah Developers fix errors

     2x faster

102. @karimhamdanali !102 Usability

103. @karimhamdanali !103 Scalability Usability Precision

104. @karimhamdanali Where do we go from here? !104 Image: Boomerang

     Toons / GIPHY

105. @karimhamdanali Swift Analysis Framework !105 themaplelab/swan

106. @karimhamdanali @karimhamdanali Analysis-Driven Inliner Discriminants Budget Algorithm Search Space Call

     Frequency Method Size Method Size Nested Knapsack All IDT Methods Post-Inlining Transformations !59 Estimate Post-Inlining Transformations !106 themaplelab/openj9

107. @karimhamdanali • Understanding the internals of neural networks is limited

     due to their complexity • Fixing errors in neural networks without retraining is hard and currently not supported • We use Rosette to solve for changes in weights to a neural network • Rosette is able to represent neural networks and their results as symbolic values, which can then be solved for, under the assertion that a given data point is correct OVERVIEW Rosette Objective Adjust n weights We use rosette to solve for changes in network weights subject to the following objective To maximize Weight Selection EVALUATION WEIGHT SELECTION METHOD TRAINING SOLVING Training Solving Evaluation #lang rosette (define-symbolic x integer?) (assert (> x3)) (define solution (solve x)) > (evaluate x solution) 4 Fixing Neural Networks using Solver-Aided Languages !107 coming soon...

108. @karimhamdanali Google Android Mobile Security !108 Image: Android Developers Blog

109. @karimhamdanali Facebook Infer, Zoncolan, SapFix !109 Source: Distefano et al.

     Scaling Satic Analsyes at Facebook. [CACM '19]

110. @karimhamdanali Semmle Continuous Security Analysis !110 Image: LGTM.com

111. @karimhamdanali Future of Program Analysis !111 • Understanding the internals

     of neural networks is limited due to their complexity • Fixing errors in neural networks without retraining is hard and currently not supported • We use Rosette to solve for changes in weights to a neural network • Rosette is able to represent neural networks and their results as symbolic values, which can then be solved for, under the assertion that a given data point is correct OVERVIEW Rosette Objective Adjust n weights We use rosette to solve for changes in network weights subject to the following objective To maximize Weight Selection • We evaluate network performance before and after solving • Network with 784 input nodes, 300 hidden, and 10 output nodes • On average, after making changes, 99.85% of testing points remain correctly classified EVALUATION WEIGHT SELECTION METHOD TRAINING SOLVING Training Effect of Number of Symbolic Weights on Runtime Solving Evaluation #lang rosette (define-symbolic x integer?) (assert (> x3)) (define solution (solve x)) > (evaluate x solution) 4 @karimhamdanali Discriminants Budget Algorithm Search Space Call Frequency Method Size Method Size Nested Knapsack All IDT Methods Post-Inlining Transformations !59 Extra Images: SIGPLAN Blog
112. None

113. @karimhamdanali Program Analysis !6 goto fail; goto fail; © Copyright

     2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010

114. @karimhamdanali Program Analysis !6 goto fail; goto fail; © Copyright

     2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010 @karimhamdanali Program Analysis !13 Code Navigation Code Recommenders Code Refactoring Constant Propagation Dead Code Elimination Static Inlining Parallelization

115. @karimhamdanali Program Analysis !6 goto fail; goto fail; © Copyright

     2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010 @karimhamdanali Program Analysis !13 Code Navigation Code Recommenders Code Refactoring Constant Propagation Dead Code Elimination Static Inlining Parallelization @karimhamdanali !103 Scalability Usability Precision

116. @karimhamdanali Program Analysis !6 goto fail; goto fail; © Copyright

     2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010 @karimhamdanali Program Analysis !13 Code Navigation Code Recommenders Code Refactoring Constant Propagation Dead Code Elimination Static Inlining Parallelization @karimhamdanali !103 Scalability Usability Precision @karimhamdanali Future of Program Analysis !111 Fixing Neural Networks with Solver-Aided Languages Revan MacQueen1, Julian Dolby2, Karim Ali1 1UNIVERSITY OF ALBERTA, 2IBM RESEARCH https://github.com/themaplelab/ML-SE • Understanding the internals of neural networks is limited due to their complexity • Fixing errors in neural networks without retraining is hard and currently not supported • We use Rosette to solve for changes in weights to a neural network • Rosette is able to represent neural networks and their results as symbolic values, which can then be solved for, under the assertion that a given data point is correct OVERVIEW Rosette Objective Adjust n weights We use rosette to solve for changes in network weights subject to the following objective To maximize Weight Selection • We evaluate network performance before and after solving • Network with 784 input nodes, 300 hidden, and 10 output nodes • On average, after making changes, 99.85% of testing points remain correctly classified EVALUATION WEIGHT SELECTION METHOD TRAINING SOLVING Training Effect of Number of Symbolic Weights on Runtime Solving Evaluation #lang rosette (define-symbolic x integer?) (assert (> x3)) (define solution (solve x)) > (evaluate x solution) 4 @karimhamdanali Analysis-Driven Inliner Discriminants Budget Algorithm Search Space Call Frequency Method Size Method Size Nested Knapsack All IDT Methods Post-Inlining Transformations !59 Extra Images: SIGPLAN Blog

117. Karim Ali University of Alberta @karimhamdanali Is Program Analysis The

     Silver Bullet Against Software Bugs? @karimhamdanali Program Analysis !6 goto fail; goto fail; © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010 @karimhamdanali Program Analysis !13 Code Navigation Code Recommenders Code Refactoring Constant Propagation Dead Code Elimination Static Inlining Parallelization @karimhamdanali !103 Scalability Usability Precision @karimhamdanali Future of Program Analysis !111 Fixing Neural Networks with Solver-Aided Languages Revan MacQueen1, Julian Dolby2, Karim Ali1 1UNIVERSITY OF ALBERTA, 2IBM RESEARCH https://github.com/themaplelab/ML-SE • Understanding the internals of neural networks is limited due to their complexity • Fixing errors in neural networks without retraining is hard and currently not supported • We use Rosette to solve for changes in weights to a neural network • Rosette is able to represent neural networks and their results as symbolic values, which can then be solved for, under the assertion that a given data point is correct OVERVIEW Rosette Objective Adjust n weights We use rosette to solve for changes in network weights subject to the following objective To maximize Weight Selection • We evaluate network performance before and after solving • Network with 784 input nodes, 300 hidden, and 10 output nodes • On average, after making changes, 99.85% of testing points remain correctly classified EVALUATION WEIGHT SELECTION METHOD TRAINING SOLVING Training Effect of Number of Symbolic Weights on Runtime Solving Evaluation #lang rosette (define-symbolic x integer?) (assert (> x3)) (define solution (solve x)) > (evaluate x solution) 4 @karimhamdanali Analysis-Driven Inliner Discriminants Budget Algorithm Search Space Call Frequency Method Size Method Size Nested Knapsack All IDT Methods Post-Inlining Transformations !59 Extra Images: SIGPLAN Blog