Analysis at Microsoft Used by permission for 17-654/17-754...
Transcript of Analysis at Microsoft Used by permission for 17-654/17-754...
![Page 1: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/1.jpg)
Software Excellence via
Program Analysis
at Microsoft
Manuvir Das
Center for Software Excellence
Microsoft Corporation
Used by perm
ission for 17-654/17-754:
Analysis of Software Artifacts
Jonathan Aldrich, Instructor
![Page 2: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/2.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
2
Static Analysis at Microsoft
�Program Analysis group in June 2005
–Filed 7000+ bugs
–Automatically added 10,000+ specifications
–Answered hundreds of emails
(one future version of one product)
�We are program analysis researchers
–but we live and breathe deployment & adoption
–and we feel the pain of the customer
![Page 3: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/3.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
3
Context
�The Nail (W
indows)
–Manual processes do not scale to “real”software
�The Hammer (Program Analysis)
–Automated m
ethods for “searching”programs
�The Carpenter (CSE)
–A systematic, heavily automated, approach to
improving the “quality”of software
![Page 4: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/4.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
4
Roadmap
�(part of) The engineering process today
�(some of) The tools that enable the process
�(a few) Program analyses behind the tools
�(too many) Lessons learned along the way
�(too few) Suggestions for future research
![Page 5: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/5.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
5
Engineering process
![Page 6: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/6.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
6
Methodology
Root Cause
Analysis
Measurement
Analysis
Technology
Resource
Constraints
Engineering
Process
![Page 7: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/7.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
7
Root cause analysis
�Understand important failures in a deep way
–Every M
SRC bulletin
–Beta release feedback
–Watson crash reports
–Self host
–Bug databases
�Design and adjust the engineering process to
ensure that these failures are prevented
![Page 8: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/8.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
8
Measurement
�Measure everything about the process
–Code quality
–Code velocity
–Tools effectiveness
–Developer productivity
�Tweak the process accordingly
![Page 9: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/9.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
9
Process –Build Architecture
Main
Branch
Team
Branch
Desktop
Team
Branch
Team
Branch
Desktop
……
……
……
![Page 10: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/10.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
10
Process –Quality Gates
�Lightweight tools
–run on developer desktop & team level branches
–issues tracked within the program artifacts
�Enforced by rejection at gate
Main
Branch
Team
Branch
Desktop
Team
Branch
Team
Branch
Desktop
……
……
……
![Page 11: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/11.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
11
Process –Automated Bug Filing
�Heavyweight tools
–run on main branch
–issues tracked through a central bug database
�Enforced by bug cap
Main
Branch
Team
Branch
Desktop
Team
Branch
Team
Branch
Desktop
……
……
……
![Page 12: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/12.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
12
Tools
![Page 13: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/13.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
13
QG –Code Coverage via Testing
�Reject code that is not adequately tested
–Maintain a m
inimum bar for code coverage
�Code coverage tool –Magellan
�Based on binary analysis -Vulcan
![Page 14: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/14.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
14
Magellan
�BBCover
–low overhead instrumentation & collection
–down to basic block level
�Sleuth
–coverage visualization, reporting & analysis
�Blender
–coverage migration
�Scout
–test prioritization
![Page 15: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/15.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
15
QG –Component Integrity
�Reject code that breaks the componentized
architecture of the product
–Control all dependencies across components
�Dependency analysis tool –MaX
�Based on binary analysis -Vulcan
![Page 16: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/16.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
16
MaX
�Constructs a graph of dependencies
between binaries (DLLs) in the system
–Obvious : call graph
–Subtle : registry, RPC, …
�Compare policy graph and actual graph
�Some discrepancies are treated as errors
![Page 17: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/17.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
17
Vulcan
�Input –binary code
�Output –program abstractions
�Adapts to level of debug inform
ation
�Makes code instrumentation easy
–think ATOM
�Makes code modification easy
–link time, post link time, install time, run time
![Page 18: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/18.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
18
QG –Form
al Specifications
�Reject code with poorly designed and/or
insufficiently specified interfaces
�Lightweight specification language –
SAL
–initial focus on m
emory usage
�All functions must be SAL annotated
�Fully supported in Visual Studio (see MSDN)
![Page 19: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/19.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
19
SAL
�A language of contracts between functions
�preconditions
–Statements that hold at entry to the callee
–What does a callee expect from its callers?
�postconditions
–Statements that hold at exit from the callee
–What does a callee promise its callers?
�Usage example:
a0RT func(a1…anT par)
�Buffer sizes, null pointers, memory usage, …
![Page 20: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/20.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
20
SAL Example
�wcsncpy
–precondition: destination m
ust have enough
allocated space
wchar_t wcsncpy (
wchar_t *dest, wchar_t *src, size_t num );
wchar_t wcsncpy (
__pre __writableTo(elementCount(num))wchar_t *dest,
wchar_t *src, size_t num );
![Page 21: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/21.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
21
SAL Principle
�Control the power of the specifications:
–Im
practical solution: Rewrite code in a different
language that is amenable to automated analysis
–Practical solution: Form
alize invariants that are
implicit in the code in intuitive notations
�These invariants often already appear in comments
![Page 22: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/22.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
22
Defect Detection Process –1
Code Base
Local
Checking
Code Review
Potential
Defects
Annotation
Fixes,
Bug Fixes
Annotated
Code
Manual
Annotations
![Page 23: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/23.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
23
QG –Integer Overflow
�Reject code with potential security holes due
to unchecked integer arithmetic
�Range specifications + range checker –IO
�Local (intra-procedural) analysis
�Runs on developer desktop as part of regular
compilation process
![Page 24: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/24.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
24
IO �Enforces correct arithmetic for allocations
�Construct an expression tree for every
interesting expression in the code
�Ensure that every node in the tree is checked
size1 = …
size2 = …
data = MyAlloc(size1+size2);
for (i = 0; i < size1; i++)
data[i] = …
![Page 25: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/25.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
25
QG –Buffer Overruns
�Reject code with potential security holes due
to out of bounds buffer accesses
�Buffer size specifications + buffer overrun
checker –espX
�Local (intra-procedural) analysis
�Runs on developer desktop as part of regular
compilation process
![Page 26: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/26.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
26
Bootstrap the process
�Combine global and local analysis:
–Weak global analysis to infer (potentially
inaccurate) interface annotations -SALinfer
–Strong local analysis to identify incorrect code
and/or annotations -espX
![Page 27: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/27.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
27
Defect Detection Process -2
Code Base
Annotation
Inference
Local
Checking
Code Review
Potential
Defects
Annotation
Fixes,
Bug Fixes
Annotated
Code
Manual
Annotations
![Page 28: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/28.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
28
voidwork()
{int
elements[200];
wrap(elements, 200);
} voidwrap(
int
*buf,
int
len)
{int
*buf2 = buf;
int
len2 = len;
zero(buf2, len2);
} voidzero(
int
*buf,
int
len)
{int
i;
for(i = 0; i <= len; i++)
buf[i] = 0;
}
SALinfer
![Page 29: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/29.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
29
voidwork()
{int
elements[200];
wrap(elements, 200);
} voidwrap(
int
*buf,
int
len)
{int
*buf2 = buf;
int
len2 = len;
zero(buf2, len2);
} voidzero(
int
*buf,
int
len)
{int
i;
for(i = 0; i <= len; i++)
buf[i] = 0;
}
SALinfer
Track flow of values through the code
1.
Finds stack buffer
![Page 30: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/30.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
30
voidwork()
{int
elements[200];
wrap(elements, 200);
} voidwrap(
int
*buf,
int
len)
{int
*buf2 = buf;
int
len2 = len;
zero(buf2, len2);
} voidzero(
int
*buf,
int
len)
{int
i;
for(i = 0; i <= len; i++)
buf[i] = 0;
}
SALinfer
Track flow of values through the code
1.
Finds stack buffer
2.
Adds annotation
voidwork()
{int
elements[200];
wrap(elements, 200);
} voidwrap(pre elementCount(len)
int
*buf,
int
len)
{int
*buf2 = buf;
int
len2 = len;
zero(buf2, len2);
} voidzero(
int
*buf,
int
len)
{int
i;
for(i = 0; i <= len; i++)
buf[i] = 0;
}
![Page 31: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/31.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
31
voidwork()
{int
elements[200];
wrap(elements, 200);
} voidwrap(
int
*buf,
int
len)
{int
*buf2 = buf;
int
len2 = len;
zero(buf2, len2);
} voidzero(
int
*buf,
int
len)
{int
i;
for(i = 0; i <= len; i++)
buf[i] = 0;
}
SALinfer
Track flow of values through the code
1.
Finds stack buffer
2.
Adds annotation
3.
Finds assignments
voidwork()
{int
elements[200];
wrap(elements, 200);
} voidwrap(pre elementCount(len)
int
*buf,
int
len)
{int
*buf2 = buf;
int
len2 = len;
zero(buf2, len2);
} voidzero(
int
*buf,
int
len)
{int
i;
for(i = 0; i <= len; i++)
buf[i] = 0;
}
![Page 32: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/32.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
32
voidwork()
{int
elements[200];
wrap(elements, 200);
} voidwrap(
int
*buf,
int
len)
{int
*buf2 = buf;
int
len2 = len;
zero(buf2, len2);
} voidzero(
int
*buf,
int
len)
{int
i;
for(i = 0; i <= len; i++)
buf[i] = 0;
}
SALinfer
Track flow of values through the code
1.
Finds stack buffer
2.
Adds annotation
3.
Finds assignments
4.
Adds annotation
voidwork()
{int
elements[200];
wrap(elements, 200);
} voidwrap(pre elementCount(len)
int
*buf,
int
len)
{int
*buf2 = buf;
int
len2 = len;
zero(buf2, len2);
} voidzero(
int
*buf,
int
len)
{int
i;
for(i = 0; i <= len; i++)
buf[i] = 0;
}voidwork()
{int
elements[200];
wrap(elements, 200);
} voidwrap(pre elementCount(len)
int
*buf,
int
len)
{int
*buf2 = buf;
int
len2 = len;
zero(buf2, len2);
} voidzero(pre elementCount(len) int
*buf,
int
len)
{int
i;
for(i = 0; i <= len; i++)
buf[i] = 0;
}
![Page 33: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/33.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
33
voidwork()
{int
elements[200];
wrap(elements, 200);
} voidwrap(pre elementCount(len)
int
*buf,
int
len)
{int
*buf2 = buf;
int
len2 = len;
zero(buf2, len2);
} voidzero(pre elementCount(len)
int
*buf,
int
len)
{int
i;
for(i = 0; i <= len; i++)
buf[i] = 0;
}
espX
![Page 34: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/34.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
34
voidwork()
{int
elements[200];
wrap(elements, 200);
} voidwrap(pre elementCount(len)
int
*buf,
int
len)
{int
*buf2 = buf;
int
len2 = len;
zero(buf2, len2);
} voidzero(pre elementCount(len)
int
*buf,
int
len)
{int
i;
for(i = 0; i <= len; i++)
buf[i] = 0;
}
Building and solving constraints
1.
Builds constraints
2.
Verifies contract
espX
![Page 35: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/35.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
35
voidwork()
{int
elements[200];
wrap(elements, 200);
} voidwrap(pre elementCount(len)
int
*buf,
int
len)
{int
*buf2 = buf;
int
len2 = len;
zero(buf2, len2);
} voidzero(pre elementCount(len)
int
*buf,
int
len)
{int
i;
for(i = 0; i <= len; i++)
buf[i] = 0;
}
Building and solving constraints
1.
Builds constraints
2.
Verifies contract
3.
Builds constraints
len = length(buf); i ≤len
4.
Finds overrun
i < length(buf) ? NO!
espX
![Page 36: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/36.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
36
QG –Code Correctness
�Reject code with potential crashes due to improper
usage of memory
�Pointer usage specifications + memory usage
checker –PREfast
�Managed code –
PREsharp
�Local (intra-procedural) analysis
�Runs on developer desktop as part of regular
compilation process
![Page 37: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/37.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
37
ABF –Code Correctness
�Tease out hard to find inter-component bugs
that lead to crashes
–null dereference, un-initialized m
emory, leaks, …
–difficult to find accurately on the desktop
�Inter-procedural symbolic evaluation -PREfix
![Page 38: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/38.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
38
PREfix
�Bottom-up process on the call graph
�Symbolic evaluation of a fixed number of
distinct paths through each function
–use symbolic state to remove infeasible paths
–report defects
–build function m
odels for use by callers
�Solved all the difficult engineering problems
for the inter-procedural tools to follow
![Page 39: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/39.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
39
ABF –Security
�For every new security issue, map it to a
coding defect and root out all other instances
–Each coding defect is a different pattern, but most
can be viewed as finite state properties
�Heavyweight, thorough, property-based inter-
procedural analysis -ESP
![Page 40: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/40.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
40
Property-based analysis
void main ()
{if (dump)
fil = fopen(dumpFile,”w”);
if (p)
x = 0;
elsex = 1;
if (dump)
fclose(fil);
}
![Page 41: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/41.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
41
Property-based analysis
void main ()
{if (dump)
Open;
if (p)
x = 0;
elsex = 1;
if (dump)
Close;
}
![Page 42: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/42.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
42
Property-based analysis
Closed
Opened
Error
Open
Open
Close
Print/Close
*
void main ()
{if (dump)
Open;
if (p)
x = 0;
elsex = 1;
if (dump)
Close;
}
![Page 43: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/43.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
43
ESP
�Symbolically evaluate the program
–track FSA state and execution state
�At control flow branch points:
–Execution state implies branch direction?
�Yes: process appropriate branch
�No: split state and process both branches
�At control flow m
erge points:
–States agree on property FSA state?
�Yes: merge states
�No: process states separately
![Page 44: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/44.jpg)
Example
entry
dump
p
x = 0
x = 1
Open
Close
exit
dump
T T T
F F
F
![Page 45: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/45.jpg)
Example [Closed]
entry
dump
p
x = 0
x = 1
Open
Close
exit
dump
T T T
F F
F
![Page 46: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/46.jpg)
Example
[Opened|dump=T]
[Closed]
entry
dump
p
x = 0
x = 1
Open
Close
exit
dump
T T T
F F
F
![Page 47: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/47.jpg)
Example
[Opened|dump=T]
[Closed]
[Closed|dump=F]
entry
dump
p
x = 0
x = 1
Open
Close
exit
dump
T T T
F F
F
![Page 48: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/48.jpg)
Example
[Opened|dump=T]
[Closed]
[Closed|dump=F]
[Opened|dump=T,p=T,x=0]
[Opened|dump=T,p=F,x=1]
entry
dump
p
x = 0
x = 1
Open
Close
exit
dump
T T T
F F
F
![Page 49: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/49.jpg)
Example
[Opened|dump=T]
[Closed]
[Closed|dump=F]
[Opened|dump=T]
entry
dump
p
x = 0
x = 1
Open
Close
exit
dump
T T T
F F
F
![Page 50: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/50.jpg)
Example
[Opened|dump=T]
[Closed]
[Closed|dump=F]
[Opened|dump=T]
[Closed|dump=F]
entry
dump
p
x = 0
x = 1
Open
Close
exit
dump
T T T
F F
F
![Page 51: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/51.jpg)
Example
[Opened|dump=T]
[Closed]
[Closed|dump=T]
[Closed|dump=F]
[Opened|dump=T]
[Closed|dump=F]
entry
dump
p
x = 0
x = 1
Open
Close
exit
dump
T T T
F F
F
![Page 52: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/52.jpg)
Example
[Opened|dump=T]
[Closed]
[Closed|dump=F]
[Opened|dump=T]
[Closed|dump=F]
[Closed]
entry
dump
p
x = 0
x = 1
Open
Close
exit
dump
T T T
F F
F
![Page 53: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/53.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
53
Lessons
![Page 54: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/54.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
54
Forcing functions for change
�Gen 1: Manual Review
–Too many paths
�Gen 2: Massive Testing
–Inefficient detection of common patterns
�Gen 3: Global Program Analysis
–Stale results
�Gen 4: Local Program Analysis
–Lack of context
�Gen 5: Specifications
![Page 55: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/55.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
55
Don’t bother doing this without -
�No-brainer must-haves
–Defect viewer, docs, champions, partners
�A mechanism for developers to teach the tool
–Suppression, assertion, assumption
�A willingness to support the tool
�A positive attitude
![Page 56: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/56.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
56
Myth 1 –Completeness m
atters
Complete == find only real bugs
�The real measure is Fix Rate
�Centralized: >50%
�Desktop: >75%
�Specification inference
–Is it much worse than m
anual insertion?
JA: edited to swap soundness/completeness,
for consistency with course usage
![Page 57: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/57.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
57
Myth 2 –Soundness m
atters
Sound == find all the bugs
�There will never be a sound analysis
–Partial specifications
–Missing code
�Developers want consistentanalysis
–Tools should be stable w.r.t. minor code changes
–Systematic, thorough, tunable program analysis
JA: edited to swap soundness/completeness,
for consistency with course usage
![Page 58: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/58.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
58
Myth 3 –Developers only fix real bugs
�Key attributes of a “fixable”bug
–Easy to fix
–Easy to verify
–Unlikely to introduce a regression
�Simple tools can be very effective
![Page 59: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/59.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
59
Myth 4 –Developers hate specifications
�Control the power of the specifications
�This will work
–Form
alize invariants that are implicit in the code
�This will not work
–Re-write code in a different language that is
amenable to automated analysis
�Think like a developer
![Page 60: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/60.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
60
Don’t break the shipping code ☺ ☺☺☺
b = a + 16; Use(b);
b = __invariant(a) + 16; Use(b);
__invariant(a); b = a + 16; Use(b);
�__invariant() is an annotation m
acro
–generates code in the tools build, noop in the real build
�Before:
�After (correct code):
�After (incorrect code):
�Incorrect usage silently breaks the code!
![Page 61: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/61.jpg)
Analysis of Software Artifacts
Manuvir Das, Microsoft Corporation
61
Summary
�Program analysis technology can make a
huge impact on how software is developed
�The trick is to properly balance research on
new techniques with a focus on deployment
�The Center for Software Excellence (CSE) at
Microsoft is doing this (well?) today
![Page 62: Analysis at Microsoft Used by permission for 17-654/17-754 ...aldrich/courses/654-sp09/slides/29-static-anal-at-microsoft.pdfAnalysis of Software Artifacts Manuvir Das, Microsof t](https://reader033.fdocuments.in/reader033/viewer/2022060307/5f09eb977e708231d429239c/html5/thumbnails/62.jpg)
©2005 Microsoft Corporation. All rights reserved.
This presentation is for inform
ational purposes only.
MICROSOFT MAKES NO W
ARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
http://www.m
icrosoft.com/cse
http://research.m
icrosoft.com/m
anuvir