Computer Science

The program state for object-oriented languages, such as Java or C#, consists of both variables local to procedures and variables stored in the global heap. The variables stored in the heap are the fields of objects (ie, fields of class instances). This paper proposes a technique for inferring properties of such object-oriented programs.

Abstract. A program verifier is a complex system that uses compiler technology, program semantics, property inference, verification-condition generation, automatic decision procedures, and a user interface. This paper describes the architecture of a state-of-the-art program verifier for object-oriented programs.

Abstract. A certified program analysis is an analysis whose implementation is accompanied by a checkable proof of soundness. We present a framework whose purpose is to simplify the development of certified program analyses without compromising the run-time efficiency of the analyses. At the core of the framework is a novel technique for automatically extracting Coq proof-assistant specifications from ML implementations of program analyses, while preserving to a large extent the structure of the implementation.

Abstract. Detailed memory models that expose individual fields are necessary to precisely analyze code that makes use of low-level aspects such as, pointers to fields and untagged unions. Yet, higher-level representations that collect fields into records are often used because they are typically more convenient and efficient in modeling the program heap. In this paper, we present a shape graph representation of memory that exposes individual fields while largely retaining the convenience of an object-level model.

Because of fundamental limitations in what can be computed automatically, all program analyzers must incorporate some amount of domain-specific knowledge. Typically, such domain-specific knowledge is either provided by expert-user specification or built directly into the analyzer. The former approach often expects a high-level of program analysis expertise, while the latter does not allow for any input from the program developer---the person who best understands the code being analyzed.

We present techniques for determining the precision gap between Andersen's points-to analysis and precise flow-insensitive points-to analysis in practice. While previous work has shown that such a gap may exist, no efficient algorithm for precise flow-insensitive analysis is known, making measurement of the gap on real-world programs difficult.

Abstract. Real-world data structures are often enhanced with additional pointers capturing alternative paths through a basic inductive skeleton (eg, back pointers, head pointers). From the static analysis point of view, we must obtain several interlocking shape invariants. At the same time, it is well understood in abstract interpretation design that supporting a separation of concerns is critically important to designing powerful static analyses. Such a separation of concerns is often obtained via a reduced product on a case-by-case basis.

Documentation of knowledge about biological pathways is often informal and vague, making it difficult to efficiently synthesize the work of others into a holistic understanding of a system. Several researchers have proposed solving this problem by modeling pathways using formal languages, which have a precise and consistent semantics. While precise, many of these languages may be too low-level to model feasibly complex pathways.

Developer-supplied data structure specifications are important to shape analyses, as they tell the analysis what information should be tracked in order to obtain the desired shape invariants. We observe that data structure checking code (eg, used in testing or dynamic analysis) provides shape information that can also be used in static analysis. In this paper, we propose a lightweight, automatic shape analysis based on these developer-supplied structural invariant checkers.

Abstract. Analysis or verification of low-level code is useful for minimizing the disconnect between what is verified and what is actually executed and is necessary when source code is unavailable or is, say, intermingled with inline assembly. We present a modular framework for building pipelines of cooperating decompilers that gradually lift the level of the language to something appropriate for source-level tools.

Abstract. Almost all computer users today are aware that malicious code, such as viruses and worms, can cause a great amount of damage. Nonetheless, most software is still distributed as binary executables with basically no certification of their safety, nor do users use sufficient safeguards when executing such untrusted code. We assert that while end users know the security properties they would like upheld, most existing systems do not provide a method by which those precise properties can be specified.

Static analysis designers must carefully balance precision and efficiency. In our experience, many static analysis tools are built around an elegant, core algorithm, but that algorithm is then extensively tweaked to add just enough precision for the coding idioms seen in practice, without sacrificing too much efficiency.

Abstract We present the Open Verifier approach for verifying untrusted code using customized verifiers. This approach can be viewed as an instance of foundational proof-carrying code where an untrusted program can be checked using the verifier most natural for it instead of using a single generic type system. In this paper we focus on a specialized architecture designed to reduce the burden of expressing both type-based and Hoare-style verifiers.

Abstract. A linear syntax for natural deduction proofs in first-order intuitionistic logic is presented, which has been an effective tool for teaching logic. The proof checking algorithm is also given, which is the core of the tutorial proof checker Tutch. This syntax is then extended to proofs on the assertion level which resemble single inferences one would make in a rigorous proof. The resulting language has only four constructs. Checking of these proofs is decidable, and an efficient algorithm is given.

Abstract Shape analyses are concerned with precise abstractions of the heap to capture detailed structural properties. To do so, they need to build and decompose summaries of disjoint memory regions. Unfortunately, many data structure invariants require relations be tracked across disjoint regions, such as intricate numerical data invariants or structural invariants concerning back and cross pointers.

Abstract There is no perfect programming language. Programmers must write code conforming to the idiosyncrasies of a programming language. Thus, there is often a disconnect between the intent of the developer and the meaning of the program. This semantic gap has a negative effect on programmer productivity, software reliability, and execution efficiency. In this position paper, we argue that in order to address this semantic gap, we must drastically rethink how we develop software.

Abstract It is a common belief that certifying compilation, which typically verifies the welltypedness of compiler output, can be an effective mechanism for compiler debugging, in addition to ensuring basic safety properties. Bytecode verification is a fairly simple example of this approach and derives its simplicity in part by compiling to carefully crafted high-level bytecodes. In this paper, we seek to push this method to native assembly code, while maintaining much of the simplicity of bytecode verification.

Abstract We present a model of stateful computation for systems comprised of a large, dynamic set of processors. Our implementation exhibits the reconfigurability and scalability of recent distributed hash tables [23, 26, 27, 29] while guaranteeing atomic [11, 19] semantics for objects of arbitrary type stored in the system. First, we present an algorithm whose liveness is conditional on nodes (processors) not failing and all messages being delivered reliably.

ABSTRACT Popular language-based security mechanisms for software systems are based on verifiers that enforce a fixed and trusted type system. We live in a multi-lingual world and no system is written entirely in a single strongly-typed language.