Decision Procedures for String Constraints
description
Transcript of Decision Procedures for String Constraints
![Page 1: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/1.jpg)
![Page 2: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/2.jpg)
2
Decision Procedures for String
Constraints
Pieter Hooimeijer
![Page 3: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/3.jpg)
3http://en.wikipedia.org/wiki/Osborne_1
![Page 4: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/4.jpg)
4
![Page 5: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/5.jpg)
5
<img src='untrusted input'/>
![Page 6: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/6.jpg)
What couldpossibly go wrong?
6
![Page 7: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/7.jpg)
7
Attacker:
im.png' onload='javascript:...
<img src='untrusted input'/>
![Page 8: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/8.jpg)
8
Attacker:
im.png' onload='javascript:...
<img src='untrusted input'/>
![Page 9: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/9.jpg)
9
Attacker:
im.png' onload='javascript:...
<img src='untrusted input'/>
<img src='im.png' onload ='j
![Page 10: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/10.jpg)
10
Attacker:
im.png' onload='javascript:...
<img src='untrusted input'/>
<img src='im.png' onload ='j
![Page 11: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/11.jpg)
11
![Page 12: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/12.jpg)
12
www.cs.virginia.edu/~ph4u/
![Page 13: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/13.jpg)
Talk Outline
13
Background Building Tuning Conclusion
![Page 14: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/14.jpg)
Talk Outline
14
Background Building Tuning Conclusion
![Page 15: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/15.jpg)
15
2007 2008 2009 2010 2011 2012
ASEBug Reports
SocialNetsProxied Content
SesenaMacroLab 3
SensysMacroLab 2
USENIX SecBEK
POPLBEK2
SensysMacroLab
ISSTAHampi
TOSEMHampi 2
2013
PLDIDPRLE
ASEStrSolve
VMCAIData structures
J. ASEStrSolve 2
![Page 16: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/16.jpg)
16
2007 2008 2009 2010 2011 2012
ASEBug Reports
SocialNetsProxied Content
SesenaMacroLab 3
SensysMacroLab 2
USENIX SecBEK
POPLBEK2
SensysMacroLab
ISSTAHampi
TOSEMHampi 2
2013
This Talk
PLDIDPRLE
ASEStrSolve
VMCAIData structures
J. ASEStrSolve 2
![Page 17: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/17.jpg)
Decision Procedures
• Program analysis work frequently uses one of these:
• They solve mathematical constraints
• There is a standard input format
17
![Page 18: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/18.jpg)
Example
18
![Page 19: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/19.jpg)
[𝑥↦5]
19
(declare-fun x () Int)(assert (= (* x x) 25))(assert (> x 0))(check-sat)(get-model)
✔
![Page 20: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/20.jpg)
20
Motivation
Reasoning about strings is difficult:– for programmers– for automated tools
![Page 21: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/21.jpg)
String Constraint Solvers
21
Kaluza
Hampi
Rex
![Page 22: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/22.jpg)
22
KaluzaHampi Rex
String a;//...R = Regex("^ab$");R.IsMatch(a) = true;
String a;//...R = Regex("^ab$");assert(R.Match(a));
![Page 23: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/23.jpg)
String a;//...R = Regex("^ab$");R.IsMatch(a) = true;
[𝑎↦ ′ab ′ ]
23
✔
String a;//...R = Regex("^ab$");assert(R.Match(a));
KaluzaHampi Rex
![Page 24: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/24.jpg)
String a;//...R = Regex("^ab$");R.IsMatch(a) = true;
[𝑎↦ ′ab ′ ]
24
✔
String a;//...R = Regex("^ab$");assert(R.Match(a));
KaluzaHampi Rex
solution(s)constraints
solvers
![Page 25: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/25.jpg)
What should we model?
25
![Page 26: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/26.jpg)
26
Example
How hard is regexmatching in Perl?
![Page 27: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/27.jpg)
27
A: Just as hard as 3-SAT…
$istr = '^' . ('(x?)' x $V) . ".*;\n"$ireg = '^' . ('(x?)' x $V) . ".*;\n" . join('', map {'(?:' . join('|', map { $_ < 0 ? ('\\' . -$_ . 'x') : ('\\' . $_ ) } @$_ ) . "),\n" } @Clauses );
http://perl.plover.com/NPC/NPC-3SAT.html
![Page 28: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/28.jpg)
Where do
constraints come from?
28
![Page 29: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/29.jpg)
29
String a;// ...R = Regex("^ab$");if (R.IsMatch(a)) { // ...}
Code
![Page 30: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/30.jpg)
30
Constraint Generation
Constraint Solving
![Page 31: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/31.jpg)
31
Constraint Generation
Constraint Solving
![Page 32: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/32.jpg)
Talk Outline
32
Background Building Tuning Conclusion
![Page 33: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/33.jpg)
33
Chapter 2: Defining String Constraints
Contributions:1. The definition of the regular
matching assignments problem
2. An algorithm, its implementation, and correctness proof
3. An evaluation, applying (2) to a static analysis problem
![Page 34: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/34.jpg)
34
dem
o (
inte
rnet
perm
itti
ng
)
![Page 35: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/35.jpg)
Evaluation
35
The Task: generate string inputs that exercise 17 known vulnera-bilities in 30,000 lines of PHP
Metric: running time
![Page 36: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/36.jpg)
Results
36
• Our constraint definition is sufficiently expressive to capture the constraints of interest
• Wall-clock running time is between 0.01 seconds and 10 minutes
![Page 37: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/37.jpg)
Talk Outline
37
Background Building Tuning Conclusion
![Page 38: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/38.jpg)
38
Chapter 3: Evaluating Data Structures
Contribution:4. An apples-to-apples performance
comparison of data structures and algorithms for automata-based string constraint solving
![Page 39: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/39.jpg)
39
Motivation
• Existing work provided tool-to-tool performance comparisons
• Confounds: Performance gains may be due to external factors
![Page 40: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/40.jpg)
40
The Framework
• Based on Rex • Fixes external factors:– front-end parser– regex-to-automaton conversion– implementation language– search tree
![Page 41: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/41.jpg)
41
Study Design
Tasks: –automaton intersection–automaton subtraction
Metric: – running time
![Page 42: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/42.jpg)
Character Sets
42
BDDPredRangeHash
binary decision diagramssymbolic bitvector ranges in DNFconcrete set of character rangesconcrete set of individual characters
![Page 43: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/43.jpg)
43
Task 1 (55x):
Task 2 (100x):
![Page 44: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/44.jpg)
44
Eager Lazy
Task 1 (55x):
Task 2 (100x):
![Page 45: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/45.jpg)
45
Eager Lazy
Task 1 (55x):
Task 2 (100x): ASCII
Unicode
ASCII
Unicode
ASCII
Unicode
ASCII
Unicode
![Page 46: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/46.jpg)
Results
46
Eager Lazy
Task 1 (55x):
Task 2 (100x): ASCII
Unicode
ASCII
Unicode
ASCII
Unicode
ASCII
Unicode
![Page 47: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/47.jpg)
47
Lazy Eager
0.1
1
10
100
1000
0.1
1
10
100
0.1
1
10
100
1000
0.1
1
10
100
1000BDD Pred Range HashBDD Pred Range Hash
ASCI
IU
nico
de
![Page 48: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/48.jpg)
48
0.1
1
10
100
1000
0.1
1
10
100
0.1
1
10
100
1000
0.1
1
10
100
1000BDD Pred Range HashBDD Pred Range Hash
ASCI
IU
nico
deLazy Eager
![Page 49: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/49.jpg)
49
Chapter 4: Solving String Constraints Lazily
Contributions:5. A novel (lazy) algorithm for
solving multivariate string constraints
6. A comprehensive performance evaluation
![Page 50: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/50.jpg)
50
Motivation
• More scalable algorithms are more likely to see real use
![Page 51: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/51.jpg)
51
Approach
1. Eagerly construct ahigh-level representationof the search space
2. Explore the search spacelazily, adding restrictionsfor one variable at a time
![Page 52: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/52.jpg)
52
Evaluation
Difference HampiLong
StringsCFG
Intersection
![Page 53: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/53.jpg)
53
Evaluation
Difference HampiLong
StringsCFG
Intersection
![Page 54: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/54.jpg)
Hampi: Background
54
2007 2008 2009 2010 2011 2012
SocialNetsProxied Content
USENIX SecBEK
POPLBEK2
ISSTAHampi
TOSEMHampi 2
2013
PLDIDPRLE
ASEStrSolve
VMCAIData structures
J. ASEStrSolve 2
![Page 55: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/55.jpg)
Hampi: Background
55
SocialNetsProxied Content
USENIX SecBEK
POPLBEK2
TOSEMHampi 2
PLDIDPRLE
ASEStrSolve
VMCAIDatastructures
J. ASEStrSolve 2
ISSTAHampi
2011 2012 201320102007 2008 2009
![Page 56: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/56.jpg)
56
Hampi: Architecture
Hampi
STP (bv)
MiniSAT
![Page 57: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/57.jpg)
57
encodingHampi
STP (bv)
MiniSAT solving
![Page 58: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/58.jpg)
58
Experiment
Task: regex difference(same dataset as before)
Metric: proportion of wall-clock time spent solving
![Page 59: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/59.jpg)
59
Results
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Encoding Other
Leng
th B
ound
1
5
10
15
Proportion of Running time
![Page 60: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/60.jpg)
60
Results
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Encoding Other
Leng
th B
ound
1
5
10
15
![Page 61: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/61.jpg)
61
Results
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Encoding Other
Leng
th B
ound
1
5
10
15
0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 10,0000%
20%
40%
60%
80%
100%
Encoding Solving
Absolute Running time (seconds)
Prop
ortio
n of
Run
ning
Tim
e
![Page 62: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/62.jpg)
62
Evaluation
Difference HampiLong
StringsCFG
Intersection
![Page 63: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/63.jpg)
63
Experiment
Task: intersect two regexes parameterized on n:
[a-c]*a[a-c]{n+1}and
[a-c]*b[a-c]{n}
Metric: running time
![Page 64: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/64.jpg)
64
Participating Tools
Hampi
Rex Strsolve
![Page 65: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/65.jpg)
65
Results
Rex
Hampi
Strsolve
0 250 500 750 10000.001
0.01
0.1
1
Tim
e (s
)
n
![Page 66: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/66.jpg)
Talk Outline
66
Background Building Tuning Conclusion
![Page 67: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/67.jpg)
Conclusion• Introduced string constraint solving in the
context of program analysis
• Two algorithms:one eager (DPRLE), one lazy (strsolve)
• Presented experiments– data structure selection
– solving multivariate constraints
• Our lazy prototype outperforms other approaches on indicative workloads
67
![Page 68: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/68.jpg)
68
www.cs.virginia.edu/~ph4u/
Thanks for stopping by!
![Page 69: Decision Procedures for String Constraints](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815a4e550346895dc78139/html5/thumbnails/69.jpg)
69