프로그램 분석기술 Airac 의 예를 통해서

프로그램 분석기술 Airac 의 예를 통해서

이광근 교수프로그래밍 연구실

서울대4/30/2005 @ mpsoc

프로그램 분석static program analysis

실행전에 실행성질을 자동으로

안전하게 어림잡는 일반적인 방법

프로그램 분석static program analysis

• “ 실행전” : 프로그램을 돌리기 전에• “ 실행성질” : 실행중의 프로그램 성질• “ 자동으로” : 프로그램이 프로그램을 분석• “ 안전하게” : 모든 실제상황을 포섭• “ 어림잡는” : 군더더기가없을 순 없다• “ 일반적인” : 대상 소스 언어와 실행성질이

무제한

프로그램 분석 기술 static program analysis

• “semantic-based program analysis”– abstract interpretation– type system– model checking; theorem proving; data

flow analysis– etc.

AiracStatic Analyzer for Automatic

Verification of Array Index Ranges in C Programs

Airac

• C 프로그램의 메모리접근 오류 자동 검출 int *c = (int *)malloc(sizeof(int)*10);

c[i] = 1; c[i + f()] = 1; c[*k + (*g)()] = 1; x = c; x[1] = 1; y = c + f(); y[*(y+1)] = 1; z->a = c; (z->a)[i] = 1; foo(c+2); int foo(int *d) {… d[i] = 1; …}

Airac keywords

• C: analyzes ANSI C + (GNU) program– pointers(array, procedure)– controls(procedure, return, break, goto)– intra- and inter-procedural

• statically: no test runs• all: complete, no un-noticed bug• automatic: a software • always stops: for infinite-loop programs• modular: for large programs• correct: solid theoretical foundation

Airac: performance (1/3)(commercial softwares)

X Softwares AlarmsReal

ErrorsLOC

Time(min)

검증용 Code 46 34 4,688 306

A1 18 9 280,379 8

A2 196 56 3,584,664 789

A3 78 15 119,211 82

A4 435 7 806,829 112

A5 197 112 517,314 8

Airac: performance (2/3)Linux kernel

2.6.4Alarms

RealErrors

LOCTime(sec)

vmax302.c 1 1 246 0.28

xfrm_user.c 2 1 1,201 45.07

usb-midi.c 10 4 2,206 91.32

atkbd.c 2 2 811 1.99

keyboard.c 2 1 1,256 3.36

af_inet.c 1 1 1,273 1.17

eata_pio.c 3 1 984 7.50

cdc_acm.c 3 3 849 3.98

ip6_output.c 0 0 1,110 1.53

mptbase.c 1 1 6,158 0.79

aty128fb.c 1 1 2,466 0.32

Airac: performance (3/3)

GNU Softwares

AlarmsReal

ErrorsLOC

Time(sec)

tar-1.13 66 1 20,258 577

bison-1.875 50 0 15,907 809

sed-4.0.8 29 0 6,053 1154

gzip-1.2.4a 17 0 7,327 794

grep-2.5.1 2 0 9,297 604

Airac: scalability

Airac vs Swat (1/3)

Linux kernel 2.6.4 SWAT (Stanford,Coverit

y 사 )

AIRAC ( 서울대 )

Found Errors

Found Errors

/drivers/mtd/maps/vmax301.c 1 1

/net/xfrm/xfrm_user.c 1 1

/drivers/usb/class/usb-midi.c 2 2

/drivers/input/keyboard/atkbd.c 2 2

/drivers/char/keyboard.c 1 1

/net/ipv4/af_inet.c 1 1

/drivers/scsi/eata_pio.c 1 1

/drivers/usb/class/cdc-acm.c (*) 1 3

/net/ipv6/ip6_output.c (**) 1 0

/drivers/message/fusion/mptbase.c 1 1

/drivers/video/aty/aty128fb.c 1 1

Airac vs Swat (2/3)

Bugs

Airac

Coverity

Airac vs Swat (3/3)구분 SWAT (Coverity 社 ) AIRAC ( 서울대 )

에러 검출력 62% detect 율 (8/13) 100% detect 율 (13/13)

A 적용결과

#Alarms: 19 buffers#Real Errors: 2 buffers#False Alarms: 17 buffersTime: 7 min

#Alarms: 78#Real Errors: 15 access (5 buffers)#False Alarms: 63 access (18 buffers)Time: 82 min

B 적용결과

#Alarms: 2 buffers#Real Errors: 2 buffers#False Alarms: 0 buffersTime: 4 min

#Alarms: 18#Real Errors: 9 access (2 buffers)#False Alarms: 9 access (6 buffers)Time: 8 min

cdc_acm.c(Linux device driver)

New: 허위경보 다스리기• Bayesian statistical analysis

– after training: c– probability for being true alarm ~ beta distribution(c,x)

• Monte Carlo method– estimate the probability from the distribution

• Decision theory– parameterize the decision threshold by the risk ratio of siliencing true alarms to false alarming

• 결과 :– risk ratio = 3 then 74.83% false alarms removed– ranking alarms: order of presenting errors to the user

Sifting Out False Alarms by Bayesian Statistical Post Analysis

Alarms

a1, a2, a3, ....

Bayesian analysis

a1

0.97...a2

0.12

a3

0.82

Ranking False Alarms

• Ranking alarms by their trueness: “truer” alarms first

• Only 15.17% of false alarms were mixed up until the user observes 50% of the true alarms

New versions keep coming:cost/accuracy/interface/etc.

ropas.snu.ac.kr/airac