1 / 14

Airac Static Analyzer for Automatic Verification of Array Index Ranges in C Programs

Airac Static Analyzer for Automatic Verification of Array Index Ranges in C Programs. Airac. C 프로그램의 메모리접근 오류 자동 검출 int *c = (int *)malloc(sizeof(int)*10); c[ i ] = 1; c[ i + f() ] = 1; c[ *k + (*g)() ] = 1; x = c; x[1] = 1; y = c + f(); y[*(y+1)] = 1;

davidlindsey
Download Presentation

Airac Static Analyzer for Automatic Verification of Array Index Ranges in C Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AiracStatic Analyzer for Automatic Verification of Array Index Ranges in C Programs

  2. Airac • C 프로그램의 메모리접근 오류 자동 검출 int *c = (int *)malloc(sizeof(int)*10); c[i] = 1; c[i+ f()] = 1; c[*k + (*g)()] = 1; x = c; x[1] = 1; y = c + f(); y[*(y+1)] = 1; z->a = c; (z->a)[i] = 1; foo(c+2); int foo(int *d) {…d[i] = 1; …}

  3. Airac keywords • C: analyzes ANSI C + (GNU) program • pointers(array, procedure) • controls(procedure, return, break, goto) • intra- and inter-procedural • statically: no test runs • all: complete, no un-noticed bug • automatic: a software • always stops: for infinite-loop programs • modular: for large programs • correct: solid theoretical foundation

  4. Airac: performance (1/3)(commercial softwares)

  5. Airac: performance (2/3)

  6. Airac: performance (3/3)

  7. Airac: scalability

  8. Airac vs Swat (1/3)

  9. Airac vs Swat(2/3) Airac Bugs Coverity

  10. Airac vs Swat (3/3)

  11. cdc_acm.c (Linux device driver)

  12. 허위경보 다스리기 • Bayesian statistical analysis • after training: c • probability for being true alarm ~ beta distribution(c,x) • Monte Carlo method • estimate the probability from the distribution • Decision theory • parameterize the decision threshold by the risk ratio of siliencing true alarms to false alarming • 결과: • risk ratio = 3 then 74.83% false alarms removed • ranking alarms: order of presenting errors to the user

  13. Sifting Out False Alarms by Bayesian Statistical Post Analysis Alarms a1, a2, a3, .... Bayesian analysis a1 0.97 a2 0.12 a3 0.82 ...

  14. Ranking False Alarms • Ranking alarms by their trueness: “truer” alarms first • Only 15.17% of false alarms were mixed up until the user observes 50% of the true alarms

More Related