Modular Static Analysis of String Manipulations in C Programs

Journault, Matthieu; Miné, Antoine; Ouadjaout, Abdelraouf

doi:10.1007/978-3-319-99725-4_16

Cited by 11 publications

(17 citation statements)

References 25 publications

(38 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Consider an abstraction of 0-terminated C strings [11] that abstracts strings with their length, i.e. the position of the first 0 in the array.…”

Section: Dynamic Expression Rewritingmentioning

confidence: 99%

“…To illustrate this form of cooperation, consider the classic example of reducing intervals and congruences [16]. Given an interval [11,12] and a congruence 2Z+1, we can refine both values in two steps. Firstly, using the fact that the value is odd, the interval is refined into [11,11].…”

Section: Domain Combinationmentioning

confidence: 99%

“…Given an interval [11,12] and a congruence 2Z+1, we can refine both values in two steps. Firstly, using the fact that the value is odd, the interval is refined into [11,11]. After that, since the interval is now a singleton, the congruence is refined into 0Z + 11.…”

Section: Domain Combinationmentioning

confidence: 99%

“…Recall that the string domain represents the length of a C string, i.e. the position of the first 0, by associating a numeric variable to each memory region [11]. The cell and string domains provide information on common parts of the C memory, hence, they are composed in a reduced product.…”

Section: Domain Combinationmentioning

confidence: 99%

“…Although Mopsa is not yet able to analyze large-scale C nor realistic Python programs, we believe that these results are encouraging as few tools have yet shown the ability to analyze languages as dynamic as Python, nor been able to factor the analysis of such different languages as C and Python in the same framework. Moreover, Mopsa is intended as a platform for research, and has been exploited in several exploratory works on analyzing Python [10], strings [11], and trees [12]. We plan to release our implementation as open-source software.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Combinations of Reusable Abstract Domains for a Multilingual Static Analyzer

Journault

Miné

Monat

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We discuss the design of Mopsa, an ongoing effort to design a novel semantic static analyzer by abstract interpretation. Mopsa strives to achieve a high degree of modularity and extensibility by considering value abstractions for numeric, pointer, objects, arrays, etc. as well as syntax-driven iterators and control-flow abstractions uniformly as domain modules, which offer a unified signature and loose coupling, so that they can be combined and reused at will. Moreover, domains can dynamically rewrite expressions, which simplifies the design of relational abstractions, encourages a design based on layered semantics, and enables domain reuse across different analyses and different languages. We present preliminary applications of Mopsa analyzing simple programs in subsets of the C and Python programming languages, checking them for run-time errors and uncaught exceptions.

show abstract

“…Consider an abstraction of 0-terminated C strings [11] that abstracts strings with their length, i.e. the position of the first 0 in the array.…”

Section: Dynamic Expression Rewritingmentioning

confidence: 99%

Section: Domain Combinationmentioning

confidence: 99%

Section: Domain Combinationmentioning

confidence: 99%

Section: Domain Combinationmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Combinations of Reusable Abstract Domains for a Multilingual Static Analyzer

Journault

Miné

Monat

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

Galois Connections for Recursive Types

Al-Sibahi

Jensen

Møgelberg

et al. 2020

From Lambda Calculus to Cybersecurity Through Program Analysis

View full text Add to dashboard Cite

Building a static analyser for a real language involves modeling of large domains capturing the many available data types. To scale domain design and support efficient development of project-specific analyzers, it is desirable to be able to build, extend, and change abstractions in a systematic and modular fashion. We present a framework for modular design of abstract domains for recursive types and higher-order functions, based on the theory of solving recursive domain equations. We show how to relate computable abstract domains to our framework, and illustrate the potential of the construction by modularizing a monolithic domain for regular tree grammars. A prototype implementation in the dependently typed functional language Agda shows how the theoretical solution can be used in practice to construct static analysers. Authors ordered alphabetically type Fml = Atom ( int ) | Neg ( Fml ) | And ( Fml , Fml ) | Or ( Fml , Fml ) nnf ( f : Fml ) = case f of | Atom ( i ) -> Atom ( i ) | Neg ( Atom ( i )) -> Neg ( Atom ( i )) | Neg ( Neg ( f )) -> nnf f | Neg ( And ( f1 , f2 )) -> Or ( nnf ( Neg f1 ) , nnf ( Neg f2 )) | Neg ( Or ( f1 , f2 )) -> And ( nnf ( Neg f1 ) , nnf ( Neg f2 )) | Or ( f1 , f2 ) -> Or ( nnf f1 , nnf f2 ) | And ( f1 , f2 ) -> And ( nnf f1 , nnf f2 ) bool = unit+unit x0 : A0, . . . , xn : An ex xi : Ai Γ ex n : int Γ ex tt : unit Γ ex e1 : int Γ ex e2 : int Γ ex e1 e2 : int ( ∈ {+, −, ×}) Γ ex e1 : int Γ ex e2 : int Γ ex e1 ≤ e2 : bool Γ ex e1 : A1 Γ ex e2 : A2 Γ ex (e1, e2

show abstract

A Library Modeling Language for the Static Analysis of C Programs

Ouadjaout

Miné

2020

Static Analysis

Self Cite

View full text Add to dashboard Cite

We present a specification language aiming at soundly modeling unavailable functions in a static analyzer for C by abstract interpretation. It takes inspiration from Behavioral Interface Specification Languages popular in deductive verification, notably Frama-C's ACSL, as we annotate function prototypes with pre and post-conditions expressed concisely in a first-order logic, but with key differences. Firstly, the specification aims at replacing a function implementation in a safety analysis, not verifying its functional correctness. Secondly, we do not rely on theorem provers; instead, specifications are interpreted at function calls by our abstract interpreter. We implemented the language into Mopsa, a static analyzer designed to easily reuse abstract domains across widely different languages (such as C and Python). We show how its design helped us support a logic-based language with minimal effort. Notably, it was sufficient to add only a handful transfer functions (including very selective support for quantifiers) to achieve a sound and precise analysis. We modeled a large part of the GNU C library and C execution environment in our language, including the manipulation of unbounded strings, file descriptors, and programs with an unbounded number of symbolic command-line parameters, which allows verifying programs in a realistic setting. We report on the analysis of C programs from the Juliet benchmarks and Coreutils.

show abstract

Modular Static Analysis of String Manipulations in C Programs

Cited by 11 publications

References 25 publications

Combinations of Reusable Abstract Domains for a Multilingual Static Analyzer

Combinations of Reusable Abstract Domains for a Multilingual Static Analyzer

Galois Connections for Recursive Types

A Library Modeling Language for the Static Analysis of C Programs

Contact Info

Product

Resources

About