Jörg Brauer
ABSTRACT
Static analysis is often performed on source code where intervals -- possibly the most widely used numeric abstract domain -- have successfully been used as a program abstraction for decades. Binary code on microcontroller platforms, however, is different from high-level code in that data is frequently altered using bitwise operations and the results of operations often depend on the hardware configuration. We describe a method that combines word- and bit-level interval analysis and integrates a hardware model by means of abstract interpretation in order to handle these peculiarities. Moreover, we show that this method proves powerful enough to derive invariants that could so far only be verified using computationally more expensive techniques such as model checking.
- Atmel Corp. 8-bit AVR Instruction Set, July 2008.Google Scholar
- G. Balakrishnan, T. W. Reps, D. Melski, and T. Teitelbaum. WYSINWYX: What you see is not what you execute. In VSTTE 05, volume 4171 of LNCS, pages 202--213. Springer, 2005.Google Scholar
- S. Bardin and P. Herrmann. Structural testing of executables. In ICST 08, pages 240--249. IEEE, 2008. Google ScholarDigital Library
- S. Bardin, P. Herrmann, and F. Perroud. An alternative to SAT-based approaches for bit-vectors. In TACAS 2010, volume 6015 of LNCS. Springer, 2010. Google ScholarDigital Library
- L. Chen, A. Mine, J. Wang, and P. Cousot. Interval polyhedra: An abstract domain to infer interval linear relationships. In SAS 2009, volume 5673 of LNCS, pages 309--325. Springer, 2009. Google ScholarDigital Library
- C. Cifuentes and A. Fraboulet. Intraprocedural static slicing of binary executables. In ICSM 97, pages 188--195. IEEE, 1997. Google ScholarDigital Library
- P. Cousot and R. Cousot. Static determination of dynamic properties of programs. In Proc. of the 2nd International Symposium on Programming, pages 106--130. Dunod, Paris, France, 1976.Google Scholar
- P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL 77, pages 238--252. ACM, 1977. Google ScholarDigital Library
- P. Cousot and R. Cousot. Comparing the Galois connection and widening/narrowing approaches to abstract interpretation. In PLILP 92, volume 631 of LNCS, pages 269--295. Springer, 1992. Google ScholarDigital Library
- P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Mine, D. Monniaux, and X. Rival. The Astrée analyser. In ESOP 05, volume 3444 of LNCS, pages 21--30. Springer, 2005. Google ScholarDigital Library
- S. Debray, R. Muth, and M. Weippert. Alias analysis of executable code. In POPL 98, pages 12--24. ACM, 1998. Google ScholarDigital Library
- A. Fehnker, R. Huuck, and S. Seefried. Incremental false path elimination for static software analysis. In ATVA 09, volume 5799 of LNCS, pages 255--270. Springer, 2009. Google ScholarDigital Library
- T. Gawlitza, J. Leroux, J. Reineke, H. Seidl, G. Sutre, and R. Wilhelm. Polynomial precise interval analysis revisited. In Efficient Algorithms, volume 5760 of LNCS, pages 422--437. Springer, 2009. Google ScholarDigital Library
- B. Guo, M. Bridges, S. Triantafyllis, G. Ottoni, E. Raman, and D. August. Practical and accurate low-level pointer analysis. In CGO 05, pages 291--302. IEEE, 2005. Google ScholarDigital Library
- M. Hind and A. Pioli. Assessing the effects of flow-sensitivity on pointer alias analyses. In SAS 98, LNCS, pages 57--81. Springer, 1998. Google ScholarDigital Library
- S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst., 12(1):26--60, January 1990. Google ScholarDigital Library
- J. Howe and A. King. Logahedra: A new weakly relational domain. In ATVA 09, LNCS. Springer, 2009. Google ScholarDigital Library
- F. Ivancic, Z. Yang, M. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar. F-Soft: Software verification platform. In CAV 05, volume 3576 of LNCS, pages 301--306. Springer, 2005. Google ScholarDigital Library
- M. Karr. Affine relationships among variables of a program. Acta Informatica, 6:133--151, 1976.Google ScholarDigital Library
- J. Kinder, H. Veith, and F. Zuleger. An abstract interpretation-based framework for control flow reconstruction from binaries. In VMCAI 09, volume 5403 of LNCS, pages 214--228. Springer, 2009. Google ScholarDigital Library
- A. King and H. Søndergaard. Automatic abstraction for congruences. In VMCAI 10, volume 5944 of LNCS, pages 197--213. Springer, 2010. Google ScholarDigital Library
- M. Müller-Olm and H. Seidl. Analysis of modular arithmetic. ACM Trans. Program. Lang. Syst., 29(5), August 2007. Google ScholarDigital Library
- D. J. Pearce, P. H. J. Kelly, and C. Hankin. Efficient field-sensitive pointer analysis of C. ACM Trans. Program. Lang. Syst., 30(1), 2007. Google ScholarDigital Library
- J. Regehr, A. Reid, and K. Webb. Eliminating stack overflow by abstract interpretation. In EMSOFT 03, pages 306--322, 2003.Google ScholarCross Ref
- T. W. Reps and G. Balakrishnan. Improved memory-access analysis for x86 executables. In CC 08, volume 4959 of LNCS, pages 16--35. Springer, 2008. Google ScholarDigital Library
- B. Schlich. Model Checking of Software for Microcontrollers. Dissertation, RWTH Aachen University, Aachen, Germany, June 2008.Google Scholar
- B. Schlich, T. Noll, J. Brauer, and L. Brutschy. Reduction of interrupt handler executions for model checking embedded software. In HVC 2009, LNCS. Springer, 2009. To appear. Google ScholarDigital Library
- R. Tarjan. Depth-first search and linear graph algorithms. SIAM Journal on Computing, 1(2):146--160, 1972.Google ScholarCross Ref
- X. Yang, N. Cooprider, and J. Regehr. Eliminating the call stack to save ram. In LCTES 09. ACM Press, 2009. To appear. Google ScholarDigital Library
- K. Yorav and O. Grumberg. Static analysis for state-space reductions preserving temporal logics. Formal Methods in System Design, 25(1):67--96, 2004. Google ScholarDigital Library
Index Terms
- Interval analysis of microcontroller code using abstract interpretation of hardware and software
Recommendations
Static analysis by abstract interpretation of embedded critical software
Formal methods are increasingly used to help ensuring the correctness of complex, critical embedded software systems. We show how sound semantic static analyses based on Abstract Interpretation may be used to check properties at various levels of a ...
Pushdown control-flow analysis for free
POPL '16Traditional control-flow analysis (CFA) for higher-order languages introduces spurious connections between callers and callees, and different invocations of a function may pollute each other's return flows. Recently, three distinct approaches have been ...
Static program analysis of embedded executable assembly code
CASES '04: Proceedings of the 2004 international conference on Compilers, architecture, and synthesis for embedded systemsWe consider the problem of automatically checking if coding standards have been followed in the development of embedded applications. The problem arises from practical considerations because DSP chip manufacturers (in our case Texas Instruments) want ...
Comments