Hofmann and Jost have presented a heap space analysis [1] that finds linear space bounds for many functional programs. It uses an amortised analysis: assigning hypothetical amounts of free space (called potential) to data structures in proportion to their sizes using type annotations. Constraints on these annotations in the type system ensure that the total potential assigned to the input is an upper bound on the total memory required to satisfy all allocations.

We describe a related system for bounding the stack space requirements which uses the depth of data structures, by expressing potential in terms of maxima as well as sums. This is achieved by adding extra structure to typing contexts (inspired by O'Hearn's bunched typing [2]) to describe the form of the bounds. We will also present the extra steps that must be taken to construct a typing during the analysis.

/pdf/amortised-memory-analysis-using-the-depth-of-data-structures-hxqcvqf6l2.pdf

Amortised Memory Analysis Using the Depth of Data Structures

: The U. S. Department of Defense (DoD) has a goal of information dominance to achieve and exploit superior collection, fusion, analysis, and use of information to meet mission objectives. This goal depends on increasingly complex systems characterized by thousands of platforms, sensors, decision nodes, weapons, and warfighters connected through heterogeneous wired and wireless networks. These systems will push far beyond the size of today s systems and systems of systems by every measure: number of lines of code; number of people employing the system for different purposes; amount of data stored, accessed, manipulated, and refined; number of connections and interdependencies among software components; and number of hardware elements. They will be ultra-largescale (ULS) systems. The sheer scale of ULS systems will change everything. ULS systems will necessarily be decentralized in a variety of ways, developed and used by a wide variety of stakeholders with conflicting needs, evolving continuously, and constructed from heterogeneous parts. People will not just be users of a ULS system; they will be elements of the system. Software and hardware failures will be the norm rather than the exception. The acquisition of a ULS system will be simultaneous with its operation and will require new methods for control. These characteristics are beginning to emerge in today s DoD systems of systems; in ULS systems they will dominate. Consequently, ULS systems will place unprecedented demands on software acquisition, production, deployment, management, documentation, usage, and evolution practices.

/pdf/ultra-large-scale-systems-the-software-challenge-of-the-23wh4oixng.pdf

Ultra-Large-Scale Systems: The Software Challenge of the Future

We present ClearView, a system for automatically patching errors in deployed software. ClearView works on stripped Windows x86 binaries without any need for source code, debugging information, or other external information, and without human intervention.ClearView (1) observes normal executions to learn invariants thatcharacterize the application's normal behavior, (2) uses error detectors to distinguish normal executions from erroneous executions, (3) identifies violations of learned invariants that occur during erroneous executions, (4) generates candidate repair patches that enforce selected invariants by changing the state or flow of control to make the invariant true, and (5) observes the continued execution of patched applications to select the most successful patch.ClearView is designed to correct errors in software with high availability requirements. Aspects of ClearView that make it particularly appropriate for this context include its ability to generate patches without human intervention, apply and remove patchesto and from running applications without requiring restarts or otherwise perturbing the execution, and identify and discard ineffective or damaging patches by evaluating the continued behavior of patched applications.ClearView was evaluated in a Red Team exercise designed to test its ability to successfully survive attacks that exploit security vulnerabilities. A hostile external Red Team developed ten code injection exploits and used these exploits to repeatedly attack an application protected by ClearView. ClearView detected and blocked all of the attacks. For seven of the ten exploits, ClearView automatically generated patches that corrected the error, enabling the application to survive the attacks and continue on to successfully process subsequent inputs. Finally, the Red Team attempted to make Clear-View apply an undesirable patch, but ClearView's patch evaluation mechanism enabled ClearView to identify and discard both ineffective patches and damaging patches.

/pdf/automatically-patching-errors-in-deployed-software-4pcv80wt93.pdf

Automatically patching errors in deployed software

This paper describes a compositional shape analysis, where each procedure is analyzed independently of its callers. The analysis uses an abstract domain based on a restricted fragment of separation logic, and assigns a collection of Hoare triples to each procedure; the triples provide an over-approximation of data structure usage. Compositionality brings its usual benefits -- increased potential to scale, ability to deal with unknown calling contexts, graceful way to deal with imprecision -- to shape analysis, for the first time.The analysis rests on a generalized form of abduction (inference of explanatory hypotheses) which we call bi-abduction. Bi-abduction displays abduction as a kind of inverse to the frame problem: it jointly infers anti-frames (missing portions of state) and frames (portions of state not touched by an operation), and is the basis of a new interprocedural analysis algorithm. We have implemented our analysis algorithm and we report case studies on smaller programs to evaluate the quality of discovered specifications, and larger programs (e.g., an entire Linux distribution) to test scalability and graceful imprecision.

/pdf/compositional-shape-analysis-by-means-of-bi-abduction-3k7rt4zvp8.pdf

Compositional shape analysis by means of bi-abduction

Work on automating vulnerability discovery has long been hampered by a shortage of ground-truth corpora with which to evaluate tools and techniques. This lack of ground truth prevents authors and users of tools alike from being able to measure such fundamental quantities as miss and false alarm rates. In this paper, we present LAVA, a novel dynamic taint analysis-based technique for producing ground-truth corpora by quickly and automatically injecting large numbers of realistic bugs into program source code. Every LAVA bug is accompanied by an input that triggers it whereas normal inputs are extremely unlikely to do so. These vulnerabilities are synthetic but, we argue, still realistic, in the sense that they are embedded deep within programs and are triggered by real inputs. Using LAVA, we have injected thousands of bugs into eight real-world programs, including bash, tshark, and the GNU coreutils. In a preliminary evaluation, we found that a prominent fuzzer and a symbolic execution-based bug finder were able to locate some but not all LAVA-injected bugs, and that interesting patterns and pathologies were already apparent in their performance. Our work forms the basis of an approach for generating large ground-truth vulnerability corpora on demand, enabling rigorous tool evaluation and providing a high-quality target for tool developers.

LAVA: Large-Scale Automated Vulnerability Addition

https://research.tees.ac.uk/ws/files/6433608/110852.pdf

Automated verification of shape, size and bag properties via user-defined predicates in separation logic

One promising approach to verifying heap-manipulating programs is based on user-definedinductive predicates in separation logic. This approach can describe data structures with complex invariants and sound reasoning based on unfold/fold. However, an important component towards more expressive program verification is the use of lemmasthat can soundly relate predicates beyond their original definitions. This paper outlines a new automaticmechanism for proving and applying user-specified lemmasunder separation logic.

/pdf/enhancing-program-verification-with-lemmas-2t0cd2ded3.pdf

Enhancing Program Verification with Lemmas

Embedded systems are becoming more widely used but these systems are often resource constrained. Programming models for these systems should take into formal consideration resources such as stack and heap. In this paper, we show how memory resource bounds can be inferred for assembly-level programs. Our inference process captures the memory needs of each method in terms of the symbolic values of its parameters. For better precision, we infer path-sensitive information through a novel guarded expression format. Our current proposal relies on a Presburger solver to capture memory requirements symbolically, and to perform fixpoint analysis for loops and recursion. Apart from safety in memory adequacy, our proposal can provide estimate on memory costs for embedded devices and improve performance via fewer runtime checks against memory bound.

/pdf/analysing-memory-resource-bounds-for-low-level-programs-1aptfrgikh.pdf

Analysing memory resource bounds for low-level programs

An acceptability envelope is a region of imperfect but acceptable software systems surrounding a given perfect system. Explicitly targeting the acceptability envelope during development (rather than attempting to minimize the number of errors, as is the current practice) has several potential benefits. Specifically, leaving acceptable errors in the system eliminates the risks and costs associated with attempting to repair the errors; investing fewer resources in less critical regions of the program and more resources in more critical regions may increase acceptability and reduce the overall investment of development resources.To realize these benefits, the acceptability envelope must be both sizable and accessible. We present several case studies that explore the acceptability envelopes of the Pine email client and the Sure-Player MPEG decoder. These studies show that both Pine and Sure-Player can tolerate the addition of many off-by-one errors without producing unacceptable behavior. This result suggests that current systems may be overengineered in the sense that they can tolerate many more errors than they currently contain.Our SurePlayer case study also shows that SurePlayer has unforgiving regions of code that must be close to perfect for the system to function at all. To effectively exploit the acceptability envelope, developers must be able to distinguish forgiving and unforgiving regions so that they can appropriately prioritize their development effort. In SurePlayer, the unforgiving regions occur in code that uses metadata to parse the input stream; the forgiving regions tend to access the data within each image. This result suggests that developers may be able to use relatively simple indicators to effectively prioritize their development effort.

/pdf/exploring-the-acceptability-envelope-32dl56xnai.pdf

Exploring the acceptability envelope

Many software properties can be analysed through a relational size analysis on each function's inputs and outputs. Such relational analysis (through a form of dependent typing) has been successfully applied to declarative programs, and to restricted imperative programs; but it has been elusive for object-based programs. The main challenge is that objects may mutate and they may be aliased. In this paper, we show how safety policies of programs can be analysed by tracking size properties of objects and be enforced by objects' invariants and the preconditions of methods. We propose several new ideas to allow both mutability and sharing of objects, whilst aiming for precision in our analysis. We introduce the concept of size-immutability to facilitate sharing, and also a set of alias controls to track unaliased objects whose size properties may change. We formalise our results through a set of advanced type checking rules for an object-based imperative language. We re-affirm the utility of the proposed type system by showing how a variety of software properties can be automatically verified according to size-inspired safety policies.

/pdf/verifying-safety-policies-with-size-properties-and-alias-9wsfagnqxb.pdf

Huu Hai Nguyen

Papers

Automated verification of shape, size and bag properties via user-defined predicates in separation logic

Enhancing Program Verification with Lemmas

Analysing memory resource bounds for low-level programs

Exploring the acceptability envelope

Verifying safety policies with size properties and alias controls