1 / 69

Decision Procedures for String Constraints

Decision Procedures for String Constraints. Pieter Hooimeijer. http://en.wikipedia.org/wiki/Osborne_1. < img src = ' untrusted input '/>. What could possibly go wrong?. < img src = ' untrusted input '/>. Attacker : im.png' onload =' javascript :. < img src = ' untrusted input '/>.

candra
Download Presentation

Decision Procedures for String Constraints

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DecisionProceduresforStringConstraints Pieter Hooimeijer

  2. http://en.wikipedia.org/wiki/Osborne_1

  3. <imgsrc='untrusted input'/>

  4. What couldpossibly go wrong?

  5. <imgsrc='untrusted input'/> Attacker:im.png' onload='javascript:...

  6. <imgsrc='untrusted input'/> Attacker:im.png' onload='javascript:...

  7. <imgsrc='untrusted input'/> Attacker:im.png' onload='javascript:... <imgsrc='im.png' onload ='j

  8. <imgsrc='untrusted input'/> Attacker:im.png' onload='javascript:... <imgsrc='im.png' onload ='j

  9. www.cs.virginia.edu/~ph4u/

  10. Talk Outline Background Building Tuning Conclusion

  11. Talk Outline Background Building Tuning Conclusion

  12. ASE Bug Reports Sensys MacroLab Sensys MacroLab 2 Sesena MacroLab 3 2007 2008 2009 2010 2011 2012 2013 ISSTA Hampi USENIX Sec BEK POPL BEK2 TOSEM Hampi 2 SocialNets Proxied Content VMCAIData structures ASE StrSolve PLDI DPRLE J. ASE StrSolve 2

  13. ASE Bug Reports Sensys MacroLab Sensys MacroLab 2 Sesena MacroLab 3 2007 2008 2009 2010 2011 2012 2013 ISSTA Hampi USENIX Sec BEK POPL BEK2 TOSEM Hampi 2 SocialNets Proxied Content VMCAIData structures ASE StrSolve PLDI DPRLE J. ASE StrSolve 2 This Talk

  14. Decision Procedures • Program analysis work frequently uses one of these: • They solve mathematical constraints • There is a standard input format

  15. Example

  16. (declare-fun x () Int) (assert (= (* x x) 25)) (assert (> x 0)) (check-sat) (get-model) ✔

  17. Motivation Reasoning about strings is difficult: • for programmers • for automated tools

  18. String Constraint Solvers Kaluza Hampi Rex

  19. Kaluza Hampi Rex String a;//... R=Regex("^ab$"); assert(R.Match(a)); String a;//... R = Regex("^ab$"); R.IsMatch(a) = true;

  20. Kaluza Hampi Rex String a;//... R=Regex("^ab$"); assert(R.Match(a)); String a;//... R = Regex("^ab$"); R.IsMatch(a) = true; ✔

  21. solvers Kaluza Hampi Rex String a;//... R=Regex("^ab$"); assert(R.Match(a)); String a;//... R = Regex("^ab$"); R.IsMatch(a) = true; ✔ constraints solution(s)

  22. What should we model?

  23. Example How hard is regexmatching in Perl?

  24. A: Just as hard as 3-SAT… $istr='^'.('(x?)'x $V).".*;\n" $ireg='^'. ('(x?)'x$V) .".*;\n" .join('', map {'(?:' .join('|', map{ $_<0 ?('\\'. -$_.'x') :('\\'.$_) } @$_ ) ."),\n" } @Clauses ); http://perl.plover.com/NPC/NPC-3SAT.html

  25. Where do constraints come from?

  26. Code String a;// ...R = Regex("^ab$"); if (R.IsMatch(a)) { // ... }

  27. Constraint Generation Constraint Solving

  28. Constraint Generation Constraint Solving

  29. Talk Outline Background Building Tuning Conclusion

  30. Chapter 2: Defining String Constraints Contributions: The definition of the regular matching assignments problem An algorithm, its implementation, and correctness proof An evaluation, applying (2) to a static analysis problem

  31. demo (internet permitting)

  32. Evaluation The Task: generate string inputs that exercise 17 known vulnera-bilities in 30,000 lines of PHP Metric: running time

  33. Results • Our constraint definition is sufficiently expressive to capture the constraints of interest • Wall-clock running time is between 0.01 seconds and 10 minutes

  34. Talk Outline Background Building Tuning Conclusion

  35. Chapter 3: Evaluating Data Structures Contribution: An apples-to-apples performance comparison of data structures and algorithms for automata-based string constraint solving

  36. Motivation • Existing work provided tool-to-tool performance comparisons • Confounds: Performance gains may be due to external factors

  37. The Framework • Based on Rex • Fixes external factors: • front-end parser • regex-to-automaton conversion • implementation language • search tree

  38. Study Design Tasks: • automaton intersection • automaton subtraction Metric: • running time

  39. Character Sets binary decision diagramssymbolic bitvector ranges in DNF concrete set of character ranges concrete set of individual characters BDDPred Range Hash

  40. Task 1 (55x): Task 2 (100x):

  41. Lazy Eager Task 1 (55x): Task 2 (100x):

  42. Lazy Eager Task 1 (55x): Unicode Unicode ASCII ASCII Task 2 (100x): Unicode Unicode ASCII ASCII

  43. Results Lazy Eager Task 1 (55x): Unicode Unicode ASCII ASCII Task 2 (100x): Unicode Unicode ASCII ASCII

  44. Lazy Eager ASCII BDD Pred Range Hash BDD Pred Range Hash Unicode

  45. Lazy Eager ASCII BDD Pred Range Hash BDD Pred Range Hash Unicode

  46. Chapter 4: Solving String Constraints Lazily Contributions: A novel (lazy) algorithm for solving multivariate string constraints A comprehensive performance evaluation

  47. Motivation • More scalable algorithms are more likely to see real use

More Related