Scientific Foundations
Abstract Interpretation Theory
The abstract interpretation theory
Abstract interpretation is a theory of sound approximation of mathematical structures, in particular those involved in the behavior of computer systems. It allows the systematic derivation
of sound methods and algorithms for approximating undecidable or highly complex problems in various areas of computer science (semantics, verification and proof, model-checking, static
analysis, program transformation and optimization, typing, software steganography, etc.).
Formal Verification by Abstract Interpretation
The
formal verificationof a program (and more generally a computer system) consists in proving that its
semantics(describing “what the program executions actually do”) satisfies its
specification(describing “what the program executions are supposed to do”).
Abstract interpretationformalizes the idea that this formal proof can be done at some level of abstraction where irrelevant details about the semantics and the specification are ignored.
This amounts to proving that an
abstract semanticssatisfies an
abstract specification. An example of abstract semantics is Hoare logic while examples of abstract specifications are invariance, partial, or total correctness. These examples abstract
away from concrete properties such as execution times.
Abstractions should preferably be
sound(no conclusion derived from the abstract semantics is wrong relative to the program concrete semantics and specification). Otherwise stated, a proof that the abstract semantics
satisfies the abstract specification should imply that the concrete semantics also satisfies the concrete specification. Hoare logic is a sound verification method, debugging is not (since some
executions are left out), bounded model checking is not either (since parts of some executions are left out). Unsound abstractions lead to
false negatives(the program may be claimed to be correct/non erroneous with respect to the specification whereas it is in fact incorrect). Abstract interpretation can be used to design
sound semantics and formal verification methods.
Abstractions should also preferably be
complete(no aspect of the semantics relevant to the specification is left out). So if the concrete semantics satisfies the concrete specification this should be provable in the abstract.
However program proofs are undecidable, and so, automatic tools for reasoning about programs are all incomplete (for non-trivial program properties such as safety, liveness, or security) and
must therefore fail on some programs. This can be achieved by allowing the tool not to terminate, to be unsound (e.g. debugging tools omit possible executions), or to be incomplete (e.g. static
analysis tools may produce false alarms). Incomplete abstractions lead to
false positivesor
false alarms(the specification is claimed to be potentially violated by some program executions while it is not). Semantics and formal verification methods designed by abstract
interpretation may be complete (e.g.
Sound, terminating and precise tools are difficult to design. Complete tools to solve non-trivial verification problems are impossible to design, by undecidability. However static analysis
tools producing very few or no false alarms have been designed and used in industrial contexts for specific families of properties and programs
Abstract interpretation aims at:
providing a basic coherent and conceptual theory for understanding in a unified framework the thousands of ideas, concepts, reasonings, methods, and tools on formal
program analysis and verification
guiding the correct formal design of automatic tools for
program analysis(computing an abstract semantics) and
program verification(proving that an abstract semantics satisfies an abstract specification)
Abstract interpretation theory studies semantics (formal models of computer systems), abstractions, their soundness, and completeness.
In practice, abstract interpretation is used to design analysis, compilation, optimization, and verification tools which must automatically and statically determine information about the
runtime behavior of programs. For example the
[Astrée]static analyzer
Advanced Introductions to Abstract Interpretation
The informal presentation “
[Abstract Interpretation in a Nutshell]” aims at providing a short intuitive introduction
to the theory. A more comprehensive introduction to abstract interpretation is available
[online]
[http://
www.
di.
ens.
fr/
~cousot/
AI/
]. The paper entitled “
[Basic]
[concepts]
[of]
[abstract]
[interpretation]”
[course on abstract interpretation]”
[http://
web.
mit.
edu/
afs/
athena.
mit.
edu/
course/
16/
16.
399/
www/
]can also be found on the web.
Application Domains
Certification of Safety Critical Software
Safety critical software may incur great damage in case of failure, such as human casualties or huge financial losses. These include many kinds of embedded software, such as fly-by-wire
programs in aircrafts and other avionic applications, control systems for nuclear power plants, or navigation systems of satellite launchers. For instance, the failure of the first launch of
Ariane 5 (flight Ariane 501) was due to overflows in arithmetic computations. This failure caused the loss of several satellites, worth up to $ 500 millions.
This development of safe and secure critical software requires formal methods so as to ensure that they do not go wrong, and will behave as specified. In particular, testing or bug finding
methods do not provide any guarantee that no failure will occur; therefore, their scope is limited for certification purposes. For instance, testing can usually not be performed for
allpossible inputs due to feasibility and cost reasons, so that it does not prove anything about a large number of possible executions.
By contrast, sound program analysis methods such as abstract-interpretation-based static analysis are able to cope with these programs, since they can prove the absence of bugs. Yet, these
techniques are generally incomplete since the absence of runtime errors is undecidable in practice; therefore, they are prone to false alarms (
i.e., they may fail to prove the absence of runtime errors for a program which is safe).
It should be noted that, due to the size of the critical codes (typically above 100 kLOCs), only scalable methods can succeed (in particular, software model checking techniques are subject
to state explosion issues). As a consequence, this domain requires efficient static analyses, where costly abstractions should be used only parsimoniously.
Furthermore, many families of critical software have similar features, such as the reliance on floating point intensive computations for the implementation of control laws, including linear
and non-linear control with feedback, interpolations, and other DSP algorithms. Since we stated that a proof of absence of runtime errors is required, very precise analyses are required, which
should be able to yield no false alarm (hence, producing a full proof of absence of runtime error) on wide families of critical applications. To achieve that goal, significant advantages can be
found in the design of domain specific analyzers, such as
[Astrée]
Last, some specific critical software qualification procedures may require additional properties being proved. As an example, the DO-178 regulations (which apply to avionics software)
require a tight, documented, and certified relation to be established between each development stage. In particular, compilation of high level programs into executable binaries should also be
certified correct.
The
Abstractionproject-team has been working on both proof of absence of runtime errors and certified compilation for six years, using abstract
interpretation techniques. Successful results have been achieved on industrial applications. The
Abstractionproject-team has strong plans to continue research on this topic and to industrialize
[Astrée].
Security Protocols
Security protocols use cryptography in order to guarantee the security of exchanges over an insecure network, such as Internet. The design of security protocols is notoriously error-prone:
errors have been found in many published protocols. Security errors can have serious consequences, such as loss of money in the case of electronic commerce. Moreover, security errors cannot be
detected by testing, because they appear only in the presence of a malicious adversary. Security protocols are therefore an important area for formal verification.
The work of the
Abstractionproject-team on security protocols has lead to the development of two successful automatic protocol verifiers,
[ProVerif]in the formal model and
[CryptoVerif]in the computational model, and we plan to pursue research on this topic, in particular with extensions to
[CryptoVerif].
Abstraction of Biological Cell Signalling Networks
Cell Signalling Networks models suffer from a combinatorial blow up in the number of species (number of non-isomorphic ways in which some proteins can connect to each others). This large
number of species makes the design and the analysis of these models a highly difficult task.
Contextual graph-rewriting systems allow a concise description of these networks, which leads to a scalable method for modelling them. Then abstract interpretation allows the abstraction of
the properties of these systems. It provides debugging information in the design phases. It also provides static information to abstract their global properties. Then, these properties are
necessary in order to make other computations scale up. For instance, ODE (Ordinary Differential Equations) generation, stochastic simulations and calibration may be considered without loss of
information after this appropriate abstraction.
Software
The
[Astrée]Static Analyzer
Patrick
Cousot
project leader, correspondant
Radhia
Cousot
Jérôme
Feret
Laurent
Mauborgne
Antoine
Miné
Xavier
Rival
Bruno
Blanchet
Nov. 2001–Nov. 2003
David
Monniaux
Nov. 2001–Aug. 2007
absence of runtime error
abstract interpretation
static analysis
verifier
The
[Astrée]static analyzer
[www.
astree.
ens.
fr]aims at proving the absence of runtime errors in programs written in the C programming language.
[Astrée]analyzes structured C programs, with complex memory usages, but without dynamic memory allocation and recursion. This encompasses many embedded programs as found in earth transportation,
nuclear energy, medical instrumentation and aerospace applications, in particular synchronous control/command. The whole analysis process is entirely automatic.
[Astrée]discovers all runtime errors including:
undefined behaviors in the terms of the ANSI C99 norm of the C language (such as division by 0 or out of bounds array indexing);
any violation of the implementation specific behavior as defined in the relevant Application Binary Interface (such as the size of integers and arithmetic overflows);
any potentially harmful or incorrect use of C violating optional user-defined programming guidelines (such as no modular arithmetic for integers, even though this might
be the hardware choice);
user defined assertions.
The analyzer performs an abstract interpretation of the programs being analyzed, using a parametric domain (
[Astrée]is able to choose the right instantiation of the domain for wide families of software). This analysis produces abstract invariants, which over-approximate the reachable states of the
program, so that it is possible to derive an
over-approximation of the dangerous states (defined as states where any runtime error mentioned above may occur) that the program may reach, and produces alarms for each such possible
runtime error. Thus the analysis is sound (it correctly discovers
allruntime errors), yet incomplete, that is it may report false alarms (
i.e., alarms that correspond to no real program execution). However, the design of the analyzer ensures a high level of precision on domain-specific families of software, which means
that the analyzer produces few or no false alarms on such programs.
In order to achieve this high level of precision,
[Astrée]uses a large number of expressive abstract domains, which allow expressing and inferring complex properties about the programs being analyzed, such as numerical properties (digital
filters, floating point computations), boolean control properties, and properties based on the history of program executions.
[Astrée]has achieved the following two unprecedented results:
A340–300.In Nov. 2003,
[Astrée]was able to prove completely automatically the absence of any RTE in the primary flight control software of the Airbus A340 fly-by-wire system, a program of 132,000 lines of C
analyzed in 1h20 on a 2.8 GHz 32-bit PC using 300 Mb of memory (and 50mn on a 64-bit AMD Athlon 64 using 580 Mb of memory).
A380.From Jan. 2004 on,
[Astrée]was extended to analyze the electric flight control codes then in development and test for the A380 series. The operational application by Airbus France at the end of 2004 was just in
time before the A380 maiden flight on Wednesday, 27 April, 2005.
These research and development successes have lead to consider the inclusion of
[Astrée]in the production of the critical software for the A350.
The
[Apron]Numerical Abstract Domain Library
Antoine
Miné
correspondant
Bertrand
Jeannet
team PopArt, INRIA-RA
convex polyhedron
interval
linear equality numerical abstract domain
octagon
The
[Apron]library is dedicated to the static analysis of the numerical variables of a program by abstract interpretation. Its goal is threefold: provide ready-to-use numerical abstractions under a
common API for analysis implementers, encourage the research in numerical abstract domains by providing a platform for integration and comparison, and provide a teaching and demonstration tool
to disseminate knowledge on abstract interpretation.
The
[Apron]library is not tied to a particular numerical abstraction. Several abstract domains providing various precision versus cost trade-offs are currently implemented: the interval, the
octagon, and the polyhedron domain. A specific low-level C API was designed to minimize the effort when incorporating a new abstract domain: only the basic functions need to be implemented. The
library contains generic services and fallback functions to simplify domain integration. For instance, existing domains can be combined by instancing a generic reduced product construction with
minimal effort. Another example is the support for non-linear transfer functions for free through a generic linearization technique. The API exposes domain-independent data-types and supports
both multi-precision and machine floating-point numbers. It is thread-safe.
From the point of view of the analysis designer, the
[Apron]library exposes a higher-level, richer, and language-agnostic API. Bindings for C, C++, and OCaml are currently provided.
In order to disseminate the knowledge in abstract interpretation, a simple interprocedural static analyzer for a toy language has been designed and deployed through a web-interface:
[http://
pop-art.
inrialpes.
fr/
interproc/
interprocweb.
cgi].
The
[Apron]library is freely available on the web at
[http://
apron.
cri.
ensmp.
fr/
library]. It is released under the LGPL license. Work on the
[Apron]library started during the
[Apron]project
Current external users includes the Proval/Démon team (LRI Orsay, France), the Analysis of Computer Systems Group (New-York University, USA), the Sierum software analysis platform (Kansas
State University, USA), NEC Labs (Princeton, USA), EADS CCR (Paris, France), IRIT (Toulouse, France).
Translation Validation
Xavier
Rival
correspondant
abstract interpretation
certified compilation
static analysis
translation validation
verifier
The main goal of this software project is to make it possible to certify automatically the compilation of large safety critical software, by proving that the compiled code is correct with
respect to the source code, which ensures that no compiler bug did cause incorrect code be generated. Furthermore, this approach should allow to meet some domain specific software qualification
criteria (such as those in DO-178 regulations for avionics software), since it allows proving that successive development levels are correct with respect to each other
i.e., that they implement the same specification. Last, this technique also justifies the use of source level static analyses, even when an assembly level certification would be
required, since it establishes separately that the source and the compiled code are equivalent.
The compilation certification process is performed automatically, thanks to a prover designed specifically. The automatic proof is done at a level of abstraction which has been defined so
that the result of the proof of equivalence is strong enough for the goals mentioned above and so that the proof obligations can be solved by efficient algorithms.
The current software features both a C to Power-PC compilation certifier and an interface for an alternate source language frontend, which can be provided by an end-user.
[
ProVerif
]
Bruno
Blanchet
correspondant
Xavier
Allamigeon
April–July 2004
formal model
verifier
security protocols
[ProVerif](
[www.
proverif.
ens.
fr]) is an automatic security protocol verifier, in the formal model (so called Dolev-Yao model). In this model, cryptographic primitives are considered as black boxes. This
protocol verifier is based on an abstract representation of the protocol by Horn clauses. Its main features are:
It can handle many different cryptographic primitives, including shared- and public-key cryptography (encryption and signatures), hash functions, and Diffie-Hellman key
agreements, specified both as rewrite rules or as equations.
It can handle an unbounded number of sessions of the protocol (even in parallel) and an unbounded message space. This result has been obtained thanks to some well-chosen
approximations. This means that the verifier can give false attacks, but if it claims that the protocol satisfies some property, then the property is actually satisfied.
[ProVerif]also provides attack reconstruction: when it cannot prove a property, it tries to reconstruct an attack, that is, an execution trace of the protocol that falsifies the desired
property.
The
[ProVerif]verifier can prove the following properties:
secrecy (the adversary cannot obtain the secret);
authentication and more generally correspondence properties, of the form “if an event has been executed, then other events have been executed as well”;
strong secrecy (the adversary does not see the difference when the value of the secret changes);
equivalences between processes that differ only by terms;
[ProVerif]has been used by researchers for studying various kinds of protocols, including electronic voting protocols, certified email protocols, and zero-knowledge protocols. It has been used as a
back-end for the tool
TulaFaleimplemented at Microsoft Research Cambridge, which verifies web services protocols. It has also been used as a back-end for verifying
implementations of protocols in F# (a dialect of ML included in .NET), by Microsoft Research Cambridge.
[ProVerif]is freely available on the web, at
[www.
proverif.
ens.
fr], under the GPL license.
[
CryptoVerif
]
Bruno
Blanchet
correspondant
computational model
verifier
security protocols
[CryptoVerif](
[www.
cryptoverif.
ens.
fr]) is an automatic protocol prover sound in the computational model. In this model, messages are bitstrings and the adversary is a polynomial-time probabilistic Turing
machine.
[CryptoVerif]can prove
secrecy;
correspondences
[CryptoVerif]provides a generic mechanism for specifying the security assumptions on cryptographic primitives, which can handle in particular symmetric encryption, message authentication codes,
public-key encryption, signatures, hash functions.
The generated proofs are proofs by sequences of games, as used by cryptographers. These proofs are valid for a number of sessions polynomial in the security parameter, in the presence of an
active adversary.
[CryptoVerif]can also evaluate the probability of success of an attack against the protocol as a function of the probability of breaking each cryptographic primitive and of the number of sessions
(exact security).
[CryptoVerif]is still at a rather early stage of development, but it has already been used for a study of Kerberos in the computational model and a project for using it as a back-end for verifying
implementations of protocols in F# is starting at Microsoft Research Cambridge.
[CryptoVerif]is freely available on the web, at
[www.
cryptoverif.
ens.
fr], under the CeCILL license.
New Results
Abstract Semantics of Grammars
Patrick
Cousot
Radhia
Cousot
abstract semantics
bottom-up semantics
context-free grammar
grammar flow analysis
grammar problem
parsing
top-down semantics
We have introduced abstract interpretations of a fixpoint protoderivation semantics defining the maximal derivations of a transitional semantics of context-free grammars akin to pushdown
automata. The result is a hierarchy of bottom-up or top-down semantics refining the classical equational and derivational language semantics and including Knuth grammar problems, classical
grammar flow analysis algorithms, and parsing algorithms
Bi-inductive Definitions and Bifinitary Semantics of the Eager Lambda-Calculus
Patrick
Cousot
Radhia
Cousot
big-step semantics
bi-inductive definition
divergence
inductive definition
natural semantics
operational semantics
relational semantics
small-step semantics
structural semantics
We have introduced an order-theoretic generalization of set-theoretic inductive definitions. This generalization covers inductive, co-inductive, and bi-inductive definitions, including
non-monotonic ones, and is preserved by abstraction. This allows the structural operational semantics to describe simultaneously the finite/terminating and infinite/diverging behaviors of
programs. This is illustrated on the structural bifinitary semantics of the call-by-value
-calculus at various levels of abstraction including small/big-step trace/relational/operational semantics
Verification of Security Protocols in the Formal Model
The formal model of protocols, or Dolev-Yao model is an abstract model in which messages are represented by terms. Our protocol verifier
[ProVerif]relies on this model. This year, we have mainly worked on the proof of correspondence properties in
[ProVerif]and on case studies that use this verifier.
Automatic Verification of Correspondences for Security Protocols
Bruno
Blanchet
authentication
automatic verification
correspondences
formal model
security protocols
We have written a journal paper that summarizes the technique used by
[ProVerif]in order to verify correspondences in security protocols. Correspondences are properties of the form “if some event has been executed, then other events have been executed as well”. In
particular, correspondences can be used to formalize authentication. This technique can prove a wide variety of correspondence properties represented by particular logical formulae. It is
fully automatic, it handles an unbounded number of sessions of the protocol, and it is efficient in practice. It significantly extends a previous technique for the verification of secrecy.
The protocol is represented in an extension of the pi calculus with fairly arbitrary cryptographic primitives. This protocol representation includes the specification of the correspondence to
be verified, but no other annotation. This representation is then translated into an abstract representation by Horn clauses, which is used to prove the desired correspondence. This technique
has been proved correct and tested on various protocols from the literature. The experimental results show that these protocols can be verified by our technique in less than 1 s. It has also
been used in more ambitious case studies such as our case studies of JFK
Case Study: the Protocol Just Fast Keying (JFK)
Martín
Abadi
University of California, Santa Cruz and Microsoft Research Silicon Valley
Bruno
Blanchet
Cédric
Fournet
Microsoft Research Cambridge
Just Fast Keying
applied pi calculus
automatic verification
security protocols
JFK is a recent, attractive protocol for fast key establishment as part of securing IP communication. We have analyzed it formally in the applied pi calculus (partly in terms of
observational equivalences, partly with the assistance of the automatic protocol verifier
[ProVerif]). We have treated JFK's core security properties, and also other properties that are rarely articulated and studied rigorously, such as plausible deniability and resistance to
denial-of-service attacks. In the course of our analysis we found some ambiguities and minor problems, such as limitations in identity protection, but we mostly obtained positive results
about JFK. For this purpose, we developed ideas and techniques that should be useful more generally in the specification and verification of security protocols. This work is published in
TISSEC
Case Study: the Secure Storage System Plutus
Bruno
Blanchet
Avik
Chaudhuri
University of California, Santa Cruz
automatic verification
lazy revocation
secure storage
security protocols
We have studied formal security properties of the state-of-the-art protocol for secure file sharing on untrusted storage Plutus, in the automatic protocol verifier
[ProVerif]. As far as we know, this is the first automated formal analysis of a secure storage protocol. The protocol used as the basis of Plutus features a number of interesting schemes like
lazy revocation and key rotation. These schemes improve the protocol's performance, but complicate its security properties. Our analysis clarifies several ambiguities in the design and
reveals some unknown attacks on the protocol. We propose corrections, and prove precise security guarantees for the corrected protocol.
Verification of Security Protocols in the Computational Model
The computational model of protocols considers messages as bitstrings, which is more realistic than the formal model, but also makes the proofs more difficult. Our verifier
[CryptoVerif]is sound in this model. This year, we have extended it to correspondence assertions and used it in case study of Kerberos.
Computationally Sound Mechanized Proofs of Correspondence Assertions
Bruno
Blanchet
automatic verification. computational model
correspondences
security protocols
We have extended our mechanized prover
[CryptoVerif]for showing correspondence assertions for security protocols in the computational model. Correspondence assertions are useful in particular for establishing authentication. Our
technique produces proofs by sequences of games, as standard in cryptography. These proofs are valid for a number of sessions polynomial in the security parameter, in the presence of an
active adversary. Our technique can handle a wide variety of cryptographic primitives, including shared- and public-key encryption, signatures, message authentication codes, and hash
functions. It has been successfully tested on examples from the literature, and used in the case study of Kerberos mentioned below. This work has been presented at Computer Security
Foundations Symposium
Computationally Sound Mechanized Proofs for Basic and Public-key Kerberos
Bruno
Blanchet
Aaron
Jaggard
Rutgers University
Andre
Scedrov
University of Pennsylvania
Joe-Kai
Tsay
University of Pennsylvania
automatic verification
computational model
Kerberos
key usability
security protocols
We have done a computationally sound mechanized analysis of Kerberos 5, both with and without its public-key extension PKINIT. We have proved authentication and key secrecy properties
using the prover
[CryptoVerif], which works directly in the computational model; these are the first mechanical proofs of a full industrial protocol at the computational level. We also generalize the notion of key
usability and use
[CryptoVerif]to prove that this definition is satisfied by keys in Kerberos. This work has been presented at the Dagstuhl seminar “Formal Protocol Verification Applied”
Analysis of Biological Pathways
We have introduced a framework to design and analyze biological networks. We focus on protein interaction networks described as graph rewriting systems. Such networks can be used to model
some signalling pathways that control the cell cycle. The task is made difficult due to the combinatorial blow up in the number of reachable species (
i.e. non-isomorphic connected components of proteins).
Reachability Analysis of Biological Signalling Pathways by Abstract Interpretation
Jérôme
Feret
protein interaction networks. verification
We have developed an abstract interpretation-based framework to compute an over-approximation of the reachable species in protein interaction networks. We show several applications in
Scalable Simulation of Cellular Signaling Networks
Vincent
Danos
Paris VII
Jérôme
Feret
Walter
Fontana
Harvard Medical School
Jean
Krivine
École Polytechnique
protein interaction networks
stochastic simulation
We have introduced a Gillespi simulation algorithm for the protein interaction networks that are described as graph rewriting systems. This algorithm does not count the number of species,
but uses a radically different method. The proposed algorithm uses a representation of each protein of the system together with an over approximation of the potential embedding of the
rewriting rules in this system, and a specific correction scheme to obtain exact timing. The update of the potential embedding of the rewriting rules is computed efficiently thanks to our
reachability analysis. Being completely local, this algorithm has a per event time cost which is independent of the size of reachable species (which can even be infinite), and independent of
the size of the system. The per event time cost is only logarithmic with respect to the number of rewriting rules. Nevertheless, the Gillespi time (
i.e. the biological time progress at each simulation step) is inversely proportional to the size of the system. We have published this algorithm in
Rule-based Modelling of Cellular Signalling
Vincent
Danos
Paris VII
Jérôme
Feret
Walter
Fontana
Harvard Medical School
Jean
Krivine
École Polytechnique
Russel
Harmer
Paris VII
concurrency
epidermic growth factor model
protein interaction networks
We have used our framework to model a sizable protein interaction network obtained from refactoring two models of EGF (epidermic growth factor) receptor signalling that are based on
differential equations. In
Representation of Sets of Graphs
Laurent
Mauborgne
graphs
sharing representations
static analysis
symbolic abstract domains
In order to derive generic abstract domains for symbolic properties where no hierarchy property can be extracted, we developed efficient representations for sets of graphs
O(
nlog
n). New widenings have been devised. Combined with the efficient representation, they should lead to faster and more precise analyses on symbolic, non hierarchic
structures, such as heap shapes or network shapes.
The Trace Partitioning Abstract Domain
Laurent
Mauborgne
Xavier
Rival
absence of runtime error
disjunctions
static analysis
symbolic abstract domains
trace partitioning
In order to achieve better precision of abstract interpretation based static analysis, we introduced a new generic abstract domain, the trace partitioning abstract domain. We extended this
principle into a theoretical framework
[Astrée]static analyzer. The domain can be configured so as to cope with program specificities. It allows for an important gain in both performance and precision.
Shape Analysis with Structural Invariant Checkers
Bor-Yuh Evan
Chang
University of California at Berkeley (USA)
George
Necula
University of California at Berkeley (USA)
Xavier
Rival
absence of runtime error
inductive definitions
memory abstraction
shape analysis
static analysis
symbolic abstract domains
Developer-supplied data structure specifications are important to shape analyses, as they tell the analysis what information should be tracked in order to obtain the desired shape
invariants. We observe that data structure checking code (
e.g., used in testing or dynamic analysis) provides shape information that can also be used in static analysis. We proposed a lightweight, automatic shape analysis based on these
developer-supplied structural invariant checkers
Separation Analysis
Élodie-Jane
Sims
heap
modular analysis
pointer analysis
separation analysis
static analysis
The objective is to perform a modular static analysis of programs manipulating data structures involving dynamic data allocation and pointers.
Separation logicsis a recently developed logic to describe and express properties of the memory. The logic was first extended with fixpoints to express recursive properties so as to
provide more precise pre- and post-conditions rules for while loops as well as strongest postconditions. The next goal was to use separation logic with fixpoints as an interface language for
pointer analyses (for example shape analyses). As a first step, we designed an abstract domain in the form of an abstract language with similarities with shape graphs as well as several useful
abstract operations. It was given a concrete semantics in terms of sets of memory, so as to express and prove overapproximating translations of formulae of the extended separation logic into
this abstract language
Analysis of a USB Driver
David
Monniaux
until Aug. 2007
Antoine
Miné
Sept.–Dec. 2007
absence of runtime error
asynchronous
concurrency
device driver
intelligent device static analysis
USB
verifier
We have studied the automated proof of absence of runtime errors for a USB (Universal Serial Bus) driver included in an embedded safety-critical application. The driver communicates with
several USB controllers that are 'intelligent' pieces of hardware using linked lists of descriptors for pending memory transfers. The controllers run concurrently with the driver. They inspect
and modify the descriptor lists residing in shared memory (relying solely on the atomicity of word reads and writes for synchronization) and implement data transfers using direct memory access
to and from the address space of the main software. To prove the memory safety of the driver, it is thus critical to take the intelligent controllers into account and prove that the driver does
not misprogram them (
e.g., ordering them to overwrite some important memory locations). Because of the critical level of the software, the considered USB driver was much simpler than drivers that can be
found in consumer-level operating systems: it lacked complex USB features such as hot-plugging and refrained from using dynamically memory allocation, which made the analysis simpler.
To perform a static analysis of the provided USB driver, we first designed a model of a controller respecting the OHCI (Open Host Controller Interface) norm 1.0a. This model is a 450-line
program written in a subset of C, enriched with non-deterministic choice (used pervasively to abstract away from unspecified implementation details as well as fully specified behaviors not
relevant to the proof of memory safely, such as the order of certain operations, time-related properties, etc.). We then extended the
[Astrée] analyzer (
[Astrée] was enriched to permit the precise analysis of pointers, including bitwise operations for address masking and synthesis, in a context where all memory is statically allocated.
Unfortunately, some of the properties required to prove the absence of runtime errors involved complex separation properties of linked lists, which are far outside the current scope of
[Astrée]. Inspection by hand concluded that the model of the controllers could be simplified by removing behaviors that are expected by the OHCI norm but do not change the set of reachable states
for live variables.
[Astrée] was then able to prove automatically the absence of arithmetic and memory errors for the driver and the simplified controllers.
This work was made under the
Asbaprodcontract (
Numerical Abstract Domains in the
[Apron]Library
Antoine
Miné
Bertrand
Jeannet
team PopArt, INRIA-RA
congruence equality
convex polyhedron
floating-point arithmetic
linear equality
linearization
numerical abstract domain
octagon
reduced product
static analysis
Several features were added this year to the
[Apron] numerical abstract domain library (
A core new feature is the introduction of transfer functions for
non-linearassignments and tests. A new expression tree data-type was added to support all four operations as well as square root, modulo and casts; with a choice of integer, real or IEEE
754-1984
floating-pointsemantics (with optional rounding mode). The main result concerns the ability for all numerical abstract domains to support non-linear transfer functions for free through
the use of generic, domain-independent linearization techniques. An important application is the ability for complex relational numerical abstract domains on reals (such as polyhedra or
octagons) to support floating-point expressions in a sound way. We hope that this
[Apron]-specific feature will simplify the design of sound static analyzers for real-life programming languages.
Moreover, the following numerical abstract domains were added the library:
a linear equality domain, based on the NewPolka polyhedra;
wrappers for the polyhedra and linear congruences domains from the Parma Polyhedra Library (PPL);
a generic reduced product domain constructor;
an instance of the above constructor for the reduced product of convex polyhedra (NewPolka implementation) and linear congruences (PPL implementation).
One new language binding was added: C++ that adds object-orientation, intelligent constructors and destructors, and operator overloading to provide a more user-friendly API.
An interprocedural analyzer for a toy language has been developed in OCaml and made available on the web at
[http://
pop-art.
inrialpes.
fr/
interproc/
interprocweb.
cgi]. It provides a non-trivial example of the use of the
[Apron] library and an academic tool to disseminate the knowledge on numerical abstract domains and abstract interpretation.
Dissemination of the library was also achieved this year through a poster at the Static Analysis Symposium (SAS'07)
This year has also seen the emergence of an international community of users from various research labs (see
Abstraction Refinement
Patrick
Cousot
Pierre
Ganty
Université Libre de Bruxelles
Jean-François
Raskin
Université Libre de Bruxelles
abstraction
fixpoint
reachability
refinement
New fixpoint guided abstraction refinement algorithms for abstract reachability in finite transition systems were designed in cooperation with the ULB (Université Libre de Bruxelles)
Contracts and Grants with Industry
ES_PASS Contract
ES_PASS (
Embedded
Software
Product-based
ASSurance) is an ITEA European project grouping technology and tool providers as well as industrial end-users in the field of embedded software for automotive,
avionic, railway and space transportation (AbsInt Angewandte Informatik GmbH, Airbus France, CEA/LIST, CS Systèmes d'Information, DaimlerChrysler AG, EADS Astrium SAS, EADS Innovation Works,
École Normale Supérieure (ENS), Esterel technologies, FéRIA (IRIT & ONERA), Fraunhofer FIRST, Institut für Bahntechnik (IFB), Saarland University, Siemens VDO, Technical University Munich,
Technical University of Madrid, Thales Avionics, Thales Transport). The objective of the participation of the
Abstractionproject-team to ES_PASS is to confront the
[Astrée]analyzer to a wide range of industrial applications in order to evaluate its practical applicability and prepare its industrialization.
SSVAI Contract
SSVAI (
Space
Software
Validation using
Abstract
Interpretation) is an ESA-ITI project (European Space Agency (Innovative Triangle Initiative) with Astrium Space Transportation, the CEA, the ENS, and the École
polytechnique. The activity of the
Abstractionproject-team in this project is mainly to apply the
[Astrée]static analyzer to the MSU (Monitoring Software Unit) code of the ATV (Automated Transfer Vehicle) for the ISS (International Space Station).
AsbaprodContract
Asbaprod(
ASsurance
BAsée
PRODduit) is an industrial project on static program analysis by abstract interpretation with Airbus France which objective is determined annually. The main results
in 2007 concerned a new parallel version of
[Astrée]and the static analysis of USB (universal serial bus) drivers in the context of a simulated concurrent device controler
[Apron]ACI
The
Abstractionproject-team participates in a French
Action Concertée Incitative “Sécurité et Informatique”(ACI SI) named “Apron”
[http://
apron.
cri.
ensmp.
fr/
]together with the team “Analyses, transformations et instrumentations de programmes” (Centre de Recherche en Informatique, École des Mines de Paris [coordinator]), the
Synchroneteam (Verimag, Grenoble), the
Vertecsproject (IRISA, Rennes), and the team “Sémantique, preuves et interprétation abstraite” (École Polytechnique, Palaiseau). The focus of this
project is on the theory of numerical abstract domains and their application to the static analysis by abstract interpretation of the properties of the numerical variables of a program. The
first, theoretical goal of the project is to advance the research in numerical abstract domains. The second, more practical goal, is to mature the field by bringing together five actors to
define their needs, and then design and implement a common software platform suited for a broad range of static analysis applications. This project has lead to 29 publications in international
conferences, workshops, and journals, four technical reports, four PhD, and the design and implementation of the
[Apron]numerical abstract domain library (
ControvertANR
The
Controvertproject (2005–2008) brings together control-theory researchers of ONERA/DCSD and the Université Paul Sabatier of Toulouse and computer
scientists from the
Abstractionproject-team. A first objective is to bridge the gap between control-theory-based methods for analyzing properties of models of systems and
their controllers (e.g. robustness) by continuous Lagrangian overapproximation of the system trajectories and abstract-interpretation-based methods for analyzing control/command programs (e.g.
safety properties) in opened loop. A second objective is to use the results of the control-command theoretic analysis of the closed loop to support the program analysis in the context of the
controlled system.
[FormaCrypt]ARA
The
Abstractionproject-team coordinates the
[FormaCrypt]project, on “formal proofs and probabilistic semantics in cryptography” (project web site:
[http://
www.
di.
ens.
fr/
~blanchet/
formacrypt/
index.
html]). This project is financed by the
Agence Nationale pour la Recherche, in the frame of the
Action de Recherche Amont Sécurité, Systèmes embarqués et Intelligence Ambiante (ARA SSIA). This project of a duration of 3 years (January 2006–December 2008) brings together researchers
of the INRIA project-teams
Abstractionand
Cascade(LIENS,
Laboratoire d'Informatique de l'École Normale Supérieure), SECSI (LSV,
Laboratoire Spécification et Vérification, ENS Cachan), and CASSIS (LORIA,
Laboratoire Lorrain de Recherche en Informatique et ses Applications), as well as Martín Abadi as scientific advisor. The goal of this project is to bridge the gap between the formal and
computational models of security protocols, so as to obtain automatic proofs of protocols valid in the computational model. This project has lead to 15 publications in international
conferences, workshops, and journals, to the implementation of two tools,
[CryptoVerif]and an extension of AVISPA, and strongly contributed to the organisation of a series of international workshops (the workshops on Formal and Computational Cryptography, FCC). Bruno
Blanchet is the principal investigator for this action.
ThéséeANR
The objective of the
Théséeproject (2006–2009) is to develop static analysis techniques for proving the absence of runtime errors in
asynchronous (real-time) programs. The project is in cooperation with EDF and Airbus France. The main problem is to scale up traditional sequential static analysis
methods so as to cope with the combinatorial explosion resulting form the interleaving of communications and interactions through shared variables in a parallel execution of the asynchronous
processes.