80 likes | 182 Views
HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA. Outline. Advanced Static Analysis for Correctness and Security Checking Formal Proof Model Checking
E N D
HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA
Outline • Advanced Static Analysis for Correctness and Security Checking • Formal Proof • Model Checking • Flow Analysis, Abstract Interpretation, Symbolic Execution • Future Challenges and Directions
Advanced Static Analysis • Correctness and Security Checking • Not just “style” checking • Application-specific Correctness and Security relative to formal specification of application • Or • Application-independent Correctness / Meaningfulness / Run-Time-Failure-Free-ness / Security relative to language specification • Discovery of Properties?
Formal Proof • Traditionally seen as proving (partial or total) correctness relative to formal application specification • Generally not fully automated, can get “stuck” on loops and recursion needing human intervention to suggest invariants • Progress is being made on achieving lights out proof systems • Reputation for only being able to handle small systems • Some > 100KLOC systems have now been “proved” correct • Hoare Verification Grand Challenge • Push the envelope on automated formal verification • Formal proof systems can be used to prove application-independent properties • Freedom from run-time exceptions
Model Checking • Derived from work on hardware verification • Examines entire state space to verify predicate • Requires significant approximations to handle enormous software state space • E.g. Transform into Boolean program • Can have challenges in finding multiple kinds of errors in a single analysis • Can be used effectively on design-level model of system
Flow Analysis • Many names • Control and Data Flow Analysis • Abstract Interpretation • Symbolic Execution • Strong heritage in optimizing compiler technology • Alias Analysis • Static Single Assignment • Value and Range Propagation • Scalable Interprocedural Analysis • Iterative algorithms to achieve fix point • Necessary and appropriate approximations • Sound or unsound (false positives vs. false negatives) • Flexibility allows orientation toward discovery of properties; e.g: • Discover preconditions of algorithms as-built that ensure no run-time failures • Discover maximum stack or heap usage
Future Challenges and Directions • False Negatives and False Positives • Too many of either makes diagnostic test useless • Fighting against the Halting problem • Due to approximations and pragmatics • Loops and recursion make approximations inevitable • Example of Boring Positive: Failures due to overflow of 32-bit counter • Of course it depends on anticipated lifetime of individual invocation of system • Think Y2K • Incremental analysis • Handle larger, evolving systems in “developer” time • Provide what if analysis • Systems of systems • Multiple programming languages • Extra-language communication mechanisms • Static Timing and Performance Analysis • Automated identification of bottlenecks • Related to discovery of properties
Tucker Taft tucker.taft@sofcheck.com +1 (781) 750-8068 x220 11 Cypress Drive Burlington, MA 01803-4907