Results 1  10
of
185
Bebop: A Symbolic Model Checker for Boolean Programs
, 2000
"... We present the design, implementation and empirical evaluation of Bebop  a symbolic model checker for boolean programs. Bebop represents control flow explicitly, and sets of states implicitly using BDDs. By harnessing the inherent modularity in procedural abstraction and exploiting the locality of ..."
Abstract

Cited by 255 (24 self)
 Add to MetaCart
(Show Context)
We present the design, implementation and empirical evaluation of Bebop  a symbolic model checker for boolean programs. Bebop represents control flow explicitly, and sets of states implicitly using BDDs. By harnessing the inherent modularity in procedural abstraction and exploiting the locality of variable scoping, Bebop is able to model check boolean programs with several thousand lines of code, hundreds of procedures, and several thousand variables in a few minutes.
MOPS: an Infrastructure for Examining Security Properties of Software
 In Proceedings of the 9th ACM Conference on Computer and Communications Security
, 2002
"... We describe a formal approach for finding bugs in securityrelevant software and verifying their absence. The idea is as follows: we identify rules of safe programming practice, encode them as safety properties, and verify whether these properties are obeyed. Because manual verification is too expen ..."
Abstract

Cited by 233 (8 self)
 Add to MetaCart
(Show Context)
We describe a formal approach for finding bugs in securityrelevant software and verifying their absence. The idea is as follows: we identify rules of safe programming practice, encode them as safety properties, and verify whether these properties are obeyed. Because manual verification is too expensive, we have built a program analysis tool to automate this process. Our program analysis models the program to be verified as a pushdown automaton, represents the security property as a finite state automaton, and uses model checking techniques to identify whether any state violating the desired security goal is reachable in the program. The major advantages of this approach are that it is sound in verifying the absence of certain classes of vulnerabilities, that it is fully interprocedural, and that it is efficient and scalable. Experience suggests that this approach will be useful in finding a wide range of security vulnerabilities in large programs efficiently.
Regular Model Checking
, 2000
"... . We present regular model checking, a framework for algorithmic verification of infinitestate systems with, e.g., queues, stacks, integers, or a parameterized linear topology. States are represented by strings over a finite alphabet and the transition relation by a regular lengthpreserving re ..."
Abstract

Cited by 164 (25 self)
 Add to MetaCart
(Show Context)
. We present regular model checking, a framework for algorithmic verification of infinitestate systems with, e.g., queues, stacks, integers, or a parameterized linear topology. States are represented by strings over a finite alphabet and the transition relation by a regular lengthpreserving relation on strings. Major problems in the verification of parameterized and infinitestate systems are to compute the set of states that are reachable from some set of initial states, and to compute the transitive closure of the transition relation. We present two complementary techniques for these problems. One is a direct automatatheoretic construction, and the other is based on widening. Both techniques are incomplete in general, but we give sufficient conditions under which they work. We also present a method for verifying !regular properties of parameterized systems, by computation of the transitive closure of a transition relation. 1 Introduction This paper presents regular ...
Static Analysis of Executables to Detect Malicious Patterns
 In Proceedings of the 12th USENIX Security Symposium
, 2003
"... Malicious code detection is a crucial component of any defense mechanism. In this paper, we present a unique viewpoint on malicious code detection. We regard malicious code detection as an obfuscationdeobfuscation game between malicious code writers and researchers working on malicious code detecti ..."
Abstract

Cited by 149 (0 self)
 Add to MetaCart
(Show Context)
Malicious code detection is a crucial component of any defense mechanism. In this paper, we present a unique viewpoint on malicious code detection. We regard malicious code detection as an obfuscationdeobfuscation game between malicious code writers and researchers working on malicious code detection. Malicious code writers attempt to obfuscate the malicious code to subvert the malicious code detectors, such as antivirus software. We tested the resilience of three commercial virus scanners against codeobfuscation attacks. The results were surprising: the three commercial virus scanners could be subverted by very simple obfuscation transformations! We present an architecture for detecting malicious patterns in executables that is resilient to common obfuscation transformations. Experimental results demonstrate the efficacy of our prototype tool, SAFE (a static analyzer for executables). 1
Weighted pushdown systems and their application to interprocedural dataflow analysis
 Sci. of Comp. Prog
, 2003
"... Abstract. Recently, pushdown systems (PDSs) have been extended to weighted PDSs, in which each transition is labeled with a value, and the goal is to determine the meetoverallpaths value (for paths that meet a certain criterion). This paper shows how weighted PDSs yield new algorithms for certain ..."
Abstract

Cited by 140 (31 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, pushdown systems (PDSs) have been extended to weighted PDSs, in which each transition is labeled with a value, and the goal is to determine the meetoverallpaths value (for paths that meet a certain criterion). This paper shows how weighted PDSs yield new algorithms for certain classes of interprocedural dataflowanalysis problems. 1
Analysis of Recursive State Machines
 In Proceedings of CAV 2001
, 2001
"... . Recursive state machines (RSMs) enhance the power of ordinary state machines by allowing vertices to correspond either to ordinary states or to potentially recursive invocations of other state machines. RSMs can model the control flow in sequential imperative programs containing recursive proc ..."
Abstract

Cited by 140 (29 self)
 Add to MetaCart
(Show Context)
. Recursive state machines (RSMs) enhance the power of ordinary state machines by allowing vertices to correspond either to ordinary states or to potentially recursive invocations of other state machines. RSMs can model the control flow in sequential imperative programs containing recursive procedure calls. They can be viewed as a visual notation extending Statechartslike hierarchical state machines, where concurrency is disallowed but recursion is allowed. They are also related to various models of pushdown systems studied in the verification and program analysis communities. After introducing RSMs, we focus on whether statespace analysis can be performed efficiently for RSMs. We consider the two central problems for algorithmic analysis and model checking, namely, reachability (is a target state reachable from initial states) and cycle detection (is there a reachable cycle containing an accepting state). We show that both these problems can be solved in time O(n` 2 ) and space O(n`), where n is the size of the recursive machine and ` is the maximum, over all component state machines, of the minimum of the number of entries and the number of exits of each component. We also study the precise relationship between RSMs and closely related models. 1
Recursive Markov chains, stochastic grammars, and monotone systems of nonlinear equations
 IN STACS
, 2005
"... We define Recursive Markov Chains (RMCs), a class of finitely presented denumerable Markov chains, and we study algorithms for their analysis. Informally, an RMC consists of a collection of finitestate Markov chains with the ability to invoke each other in a potentially recursive manner. RMCs offer ..."
Abstract

Cited by 95 (13 self)
 Add to MetaCart
(Show Context)
We define Recursive Markov Chains (RMCs), a class of finitely presented denumerable Markov chains, and we study algorithms for their analysis. Informally, an RMC consists of a collection of finitestate Markov chains with the ability to invoke each other in a potentially recursive manner. RMCs offer a natural abstract model for probabilistic programs with procedures. They generalize, in a precise sense, a number of well studied stochastic models, including Stochastic ContextFree Grammars (SCFG) and MultiType Branching Processes (MTBP). We focus on algorithms for reachability and termination analysis for RMCs: what is the probability that an RMC started from a given state reaches another target state, or that it terminates? These probabilities are in general irrational, and they arise as (least) fixed point solutions to certain (monotone) systems of nonlinear equations associated with RMCs. We address both the qualitative problem of determining whether the probabilities are 0, 1 or inbetween, and
A Generic Approach to the Static Analysis of Concurrent Programs with Procedures
, 2003
"... We present a generic aproach to the static analysis of concurrent programs with procedures. We model programs as communicating pushdown systems. It is known that typical dataow problems for this model are undecidable, because the emptiness problem for the intersection of contextfree languages, w ..."
Abstract

Cited by 95 (19 self)
 Add to MetaCart
(Show Context)
We present a generic aproach to the static analysis of concurrent programs with procedures. We model programs as communicating pushdown systems. It is known that typical dataow problems for this model are undecidable, because the emptiness problem for the intersection of contextfree languages, which is undecidable, can be reduced to them. In this paper we propose an algebraic framework for de ning abstractions (upper approximations) of contextfree languages. We consider two classes of abstractions: nitechain abstractions, which are abstractions whose domains do not contain any in nite chains, and commutative abstractions corresponding to classes of languages that contain a word if and only if they contain all its permutations. We show how to compute such approximations by combining automata theoretic techniques with algorithms for solving systems of polynomial inequations in Kleene algebras.
Verification on Infinite Structures
, 2000
"... In this chapter, we present a hierarchy of infinitestate systems based on the primitive operations of sequential and parallel composition; the hierarchy includes a variety of commonlystudied classes of systems such as contextfree and pushdown automata, and Petri net processes. We then examine the ..."
Abstract

Cited by 90 (2 self)
 Add to MetaCart
In this chapter, we present a hierarchy of infinitestate systems based on the primitive operations of sequential and parallel composition; the hierarchy includes a variety of commonlystudied classes of systems such as contextfree and pushdown automata, and Petri net processes. We then examine the equivalence and regularity checking problems for these classes, with special emphasis on bisimulation equivalence, stressing the structural techniques which have been devised for solving these problems. Finally, we explore the model checking problem over these classes with respect to various linear and branchingtime temporal logics.
Detecting manipulated remote call streams
 In 11th USENIX Security Symposium
, 2002
"... In the Internet, mobile code is ubiquitous and includes such examples as browser plugins, Java applets, and document macros. In this paper, we address an important vulnerability in mobile code security that exists in remote execution systems such as Condor, Globus, and SETI@Home. These systems sche ..."
Abstract

Cited by 88 (11 self)
 Add to MetaCart
(Show Context)
In the Internet, mobile code is ubiquitous and includes such examples as browser plugins, Java applets, and document macros. In this paper, we address an important vulnerability in mobile code security that exists in remote execution systems such as Condor, Globus, and SETI@Home. These systems schedule user jobs for execution on remote idle machines. However, they send most of their important system calls back to the local machine for execution. Hence, an evil process on the remote machine can manipulate a user’s job to send destructive system calls back to the local machine. We have developed techniques to remotely detect such manipulation. Before the job is submitted for remote execution, we construct a model of the user’s binary program using static analysis. This binary analysis is applicable to commodity remote execution systems and applications. During remote job execution, the model checks all system calls arriving at the local machine. Execution is only allowed to continue while the model remains valid. We begin with a finitestate machine model that accepts sequences of system calls and then build optimizations into the model to improve its precision and efficiency. We also propose two program transformations, renaming and null call insertion, that have a significant impact on the precision and efficiency. As a desirable sideeffect, these techniques also obfuscate the program, thus making it harder for the adversary to reverse engineer the code. We have implemented a simulated remote execution environment to demonstrate how optimizations and transformations of the binary program increase the precision and efficiency. In our test programs, unoptimized models increase runtime by 0.5 % or less. At moderate levels of optimization, runtime increases by less than 13 % with precision gains reaching 74%.