Results 1  10
of
164
Intrusion Detection via Static Analysis
, 2001
"... One of the primary challenges in intrusion detection is modelling typical application behavior, so that we can recognize attacks by their atypical effects without raising too many false alarms. We show how static analysis may be used to automatically derive a model of application behavior. The resul ..."
Abstract

Cited by 352 (1 self)
 Add to MetaCart
(Show Context)
One of the primary challenges in intrusion detection is modelling typical application behavior, so that we can recognize attacks by their atypical effects without raising too many false alarms. We show how static analysis may be used to automatically derive a model of application behavior. The result is a hostbased intrusion detection system with three advantages: a high degree of automation, protection against a broad class of attacks based on corrupted code, and the elimination of false alarms. We report on our experience with a prototype implementation of this technique. 1. Introduction Computer security has undergone a major renaissance in the last five years. Beginning with Sun's introduction of the Java language and its support of mobile code in 1995, programming languages have been a major focus of security research. Many papers have been published applying programming language theory to protection problems [25, 24], especially information flow [17]. Security, however, is a ma...
Modeling and Verifying Systems using a Logic of Counter Arithmetic with Lambda Expressions and Uninterpreted Functions
, 2002
"... In this paper, we present the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). CLU generalizes the logic of equality with uninterpreted functions (EUF) with constrained lambda expressions, ordering, and successor and predecessor functions. In addition to mod ..."
Abstract

Cited by 154 (42 self)
 Add to MetaCart
In this paper, we present the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). CLU generalizes the logic of equality with uninterpreted functions (EUF) with constrained lambda expressions, ordering, and successor and predecessor functions. In addition to modeling pipelined processors that EUF has proved useful for, CLU can be used to model many infinitestate systems including those with infinite memories, finite and infinite queues including lossy channels, and networks of identical processes. Even with this richer expressive power, the validity of a CLU formula can be efficiently decided by translating it to a propositional formula, and then using Boolean methods to check validity. We give theoretical and empirical evidence for the efficiency of our decision procedure. We also describe verification techniques that we have used on a variety of systems, including an outoforder execution unit and the loadstore unit of an industrial microprocessor.
TReX: A Tool for Reachability Analysis of Complex Systems
, 2001
"... Introduction Finitestate modelcheckers such as Smv [13] and Spin [11] do not allow to deal with important aspects that appear in modelling and analysing complex systems, e.g., communication protocols. Among these aspects: realtime constraints, manipulation of unbounded data structures like count ..."
Abstract

Cited by 69 (3 self)
 Add to MetaCart
Introduction Finitestate modelcheckers such as Smv [13] and Spin [11] do not allow to deal with important aspects that appear in modelling and analysing complex systems, e.g., communication protocols. Among these aspects: realtime constraints, manipulation of unbounded data structures like counters, communication through unbounded channels, parametric reasoning, etc. The tool we propose, called TReX, allows to analyse automatically automatabased models equipped with variables of different kinds of infinite domain data structures and with parameters (i.e., uninstantiated constants). These models are, at the present time, parametric (continuoustime) timed automata, extended with integer counters and communicating through unbounded lossy FIFO queues. The techniques used in TReX are based on symbolic reachability analysis. Symbolic representation structures are u
Programs with Lists are Counter Automata
 In CAV’06, LNCS
, 2006
"... Abstract. We address the verification problem of programs manipulating oneselector linked data structures. We propose a new automated approach for checking safety and termination for these programs. Our approach is based on using heap graphs where list segments without sharing are collapsed, and cou ..."
Abstract

Cited by 68 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We address the verification problem of programs manipulating oneselector linked data structures. We propose a new automated approach for checking safety and termination for these programs. Our approach is based on using heap graphs where list segments without sharing are collapsed, and counters are used to keep track of the number of elements in these segments. This allows to apply automatic analysis techniques and tools for counter automata in order to verify list programs. We show the effectiveness of our approach, in particular by verifying automatically termination of some sorting programs. 1
How to compose PresburgerAccelerations: Applications to Broadcast Protocols
 IN PROC. 22ND CONF. FOUND. OF SOFTWARE TECHNOLOGY AND THEOR. COMP. SCI. (FST&TCS'2002), KANPUR
, 2002
"... Finite linear systems are finite sets of linear functions whose guards are de fined by Presburger formulas, and whose the squares matrice associated generate a finite multiplicative monoid. We prove that for finite linear systems, the accelerations of sequences of transitions always produce an effec ..."
Abstract

Cited by 66 (18 self)
 Add to MetaCart
(Show Context)
Finite linear systems are finite sets of linear functions whose guards are de fined by Presburger formulas, and whose the squares matrice associated generate a finite multiplicative monoid. We prove that for finite linear systems, the accelerations of sequences of transitions always produce an effective Presburgerdefinable relation. We then show how to choose the good sequences of length n whose number is polynomial in n although the total number of cycles of length n is exponential in n. We implement these theoretical results in the tool FAST [FAS] (Fast Acceleration of Symbolic Transition systems). FAST computes in few seconds the minimal deterministic finite automata that represent the reachability sets of 8 wellknown broadcast protocols.
Saturation Unbound
 Proc. TACAS
, 2003
"... In previous work, we proposed a "saturation" algorithm for symbolic statespace generation characterized by the use of multivalued decision diagrams, boolean Kronecker operators, event locality, and a special iteration strategy. This approach outperforms traditional BDDbased techniques by ..."
Abstract

Cited by 50 (21 self)
 Add to MetaCart
(Show Context)
In previous work, we proposed a "saturation" algorithm for symbolic statespace generation characterized by the use of multivalued decision diagrams, boolean Kronecker operators, event locality, and a special iteration strategy. This approach outperforms traditional BDDbased techniques by several orders of magnitude in both space and time but, like them, assumes a priori knowledge of each submodel's state space. We introduce a new algorithm that merges explicit local statespace discovery with symbolic global statespace generation. This relieves the modeler from worrying about the behavior of submodels in isolation.
Indexed Predicate Discovery for Unbounded System Verification
 IN CAV’04
, 2004
"... Predicate abstraction has been proved effective for verifying several infinitestate systems. In predicate abstraction, an abstract system is automatically constructed given a set of predicates. Predicate abstraction coupled with automatic predicate discovery provides for a completely automatic v ..."
Abstract

Cited by 50 (6 self)
 Add to MetaCart
(Show Context)
Predicate abstraction has been proved effective for verifying several infinitestate systems. In predicate abstraction, an abstract system is automatically constructed given a set of predicates. Predicate abstraction coupled with automatic predicate discovery provides for a completely automatic verification scheme. For systems with unbounded integer state variables (e.g. software), counterexample guided predicate discovery has been successful in identifying the necessary predicates. For
Regular Tree Model Checking
"... In this paper, we present an approach for algorithmic verification of infinitestate systems with a parameterized tree topology. Our work is a generalization of regular model checking, where we extend the work done with strings toward trees. States are represented by trees over a finite alphabet, an ..."
Abstract

Cited by 49 (8 self)
 Add to MetaCart
In this paper, we present an approach for algorithmic verification of infinitestate systems with a parameterized tree topology. Our work is a generalization of regular model checking, where we extend the work done with strings toward trees. States are represented by trees over a finite alphabet, and transition relations by regular, structure preserving relations on trees. We use an automata theoretic method to compute the transitive closure of such a transition relation. Although the method is incomplete, we present sufficient conditions to ensure termination.
Regular Model Checking without Transducers (On Efficient Verification of Parameterized Systems)
, 2006
"... We give a simple and efficient method to prove safety properties for parameterized systems with linear topologies. A process in the system is a finitestate automaton, where the transitions are guarded by both local and global conditions. Processes may communicate via broadcast, rendezvous and share ..."
Abstract

Cited by 44 (18 self)
 Add to MetaCart
(Show Context)
We give a simple and efficient method to prove safety properties for parameterized systems with linear topologies. A process in the system is a finitestate automaton, where the transitions are guarded by both local and global conditions. Processes may communicate via broadcast, rendezvous and shared variables. The method derives an overapproximation of the induced transition system, which allows the use of a simple class of regular expressions as a symbolic representation. Compared to traditional regular model checking methods, the analysis does not require the manipulation of transducers, and hence its simplicity andefficiency. We have implemented a prototype which works well on several mutual exclusion algorithms and cache coherence protocols.
Verifying Programs with Dynamic 1SelectorLinked Structures in Regular Model Checking
 In Proc. of TACAS ’05, volume 3440 of LNCS
, 2005
"... Abstract. We address the problem of automatic verification of programs with dynamic data structures. We consider the case of sequential, nonrecursive programs manipulating 1selectorlinked structures such as traditional linked lists (possibly sharing their tails) and circular lists. We propose an ..."
Abstract

Cited by 41 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We address the problem of automatic verification of programs with dynamic data structures. We consider the case of sequential, nonrecursive programs manipulating 1selectorlinked structures such as traditional linked lists (possibly sharing their tails) and circular lists. We propose an automatabased approach for a symbolic verification of such programs using the regular model checking framework. Given a program, the configurations of the memory are systematically encoded as words over a suitable finite alphabet, potentially infinite sets of configurations are represented by finitestate automata, and statements of the program are automatically translated into finitestate transducers defining regular relations between configurations. Then, abstract regular model checking techniques are applied in order to automatically check safety properties concerning the shape of the computed configurations or relating the input and output configurations. For that, we introduce new techniques for the computation of abstractions of the set of reachable configurations, and to refine these abstractions if spurious counterexamples are detected. Finally, we present experimental results showing the applicability of the approach and its efficiency. 1