skip to main content
10.1145/3213846.3213849acmconferencesArticle/Chapter ViewAbstractPublication PagesisstaConference Proceedingsconference-collections
research-article

Lightweight verification of array indexing

Published: 12 July 2018 Publication History

Abstract

In languages like C, out-of-bounds array accesses lead to security vulnerabilities and crashes. Even in managed languages like Java, which check array bounds at run time, out-of-bounds accesses cause exceptions that terminate the program.
We present a lightweight type system that certifies, at compile time, that array accesses in the program are in-bounds. The type system consists of several cooperating hierarchies of dependent types, specialized to the domain of array bounds-checking. Programmers write type annotations at procedure boundaries, allowing modular verification at a cost that scales linearly with program size.
We implemented our type system for Java in a tool called the Index Checker. We evaluated the Index Checker on over 100,000 lines of open-source code and discovered array access errors even in well-tested, industrial projects such as Google Guava.

References

[1]
2002. PLDI 2002: Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation. Berlin, Germany.
[2]
Wolfgang Ahrendt, Bernhard Beckert, Daniel Bruns, Richard Bubel, Christoph Gladisch, Sarah Grebing, Reiner Hähnle, Martin Hentschel, Mihai Herda, Vladimir Klebanov, Wojciech Mostowski, Christoph Scheben, Peter H. Schmitt, and Mattias Ulbrich. 2014. The KeY platform for verification and analysis of Java programs. In VSTTE 2014: 6th Working Conference on Verified Software: Theories, Tools, Experiments. Vienna, Austria, 55–71.
[3]
Nathaniel Ayewah, David Hovemeyer, J. David Morgenthaler, John Penix, and William Pugh. 2008. Using Static Analysis to Find Bugs. IEEE Software 25, 5 (2008), 22–29.
[4]
Mike Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K Rustan M Leino. 2005. Boogie: A modular reusable verifier for object-oriented programs. In International Symposium on Formal Methods for Components and Objects. Springer, 364–387.
[5]
Paulo Barros, René Just, Suzanne Millstein, Paul Vines, Werner Dietl, Marcelo d’Amorim, and Michael D. Ernst. 2015. Static analysis of implicit control flow: Resolving Java reflection and Android intents. In ASE 2015: Proceedings of the 30th Annual International Conference on Automated Software Engineering. Lincoln, NE, USA, 669–679.
[6]
Al Bessey, Ken Block, Benjamin Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson R. Engler. 2010. A few billion lines of code later: Using static analysis to find bugs in the real world. Commun. ACM 53, 2 (2010), 66–75.
[7]
Rastislav Bodík, Rajiv Gupta, and Vivek Sarkar. 2000. ABCD: Eliminating Array Bounds Checks on Demand. In PLDI 2000: Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation. Vancouver, BC, Canada, 321–333.
[8]
Dan Brotherston, Werner Dietl, and Ondřej Lhoták. 2017. Granullar: gradual nullable types for Java. In CC 2017: 26th International Conference on Compiler Construction. Austin, TX, USA, 87–97.
[9]
Lilian Burdy, Yoonsik Cheon, David Cok, Michael D. Ernst, Joe Kiniry, Gary T. Leavens, K. Rustan M. Leino, and Erik Poll. 2005. An overview of JML tools and applications. Software Tools for Technology Transfer 7, 3 (June 2005), 212–232.
[10]
Jeremy Condit, Matthew Harren, Zachary Anderson, David Gay, and George C. Necula. 2007. Dependent types for low-level programming. In ESOP 2007: 16th European Symposium on Programming. Braga, Portugal, 520–535.
[11]
Patrick Cousot. 1997. Types as abstract interpretations. In POPL ’97: Proceedings of the 24th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Paris, France, 316–331.
[12]
Al Danial. Accessed June 7, 2018. cloc. http://cloc.sourceforge.net/.
[13]
Oege De Moor, Damien Sereni, Mathieu Verbaere, Elnar Hajiyev, Pavel Avgustinov, Torbjörn Ekman, Neil Ongkingco, and Julian Tibble. 2007. ql: Objectoriented queries made easy. In International Summer School on Generative and Transformational Techniques in Software Engineering. Springer, Braga, Portugal, 78–133.
[14]
Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In TACAS 2008: Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Budapest, Hungary, 337–340.
[15]
David L. Detlefs, K. Rustan M. Leino, Greg Nelson, and James B. Saxe. 1998. Extended Static Checking. SRC Research Report 159. Compaq Systems Research Center.
[16]
Archibald Samuel Elliott, Andrew Ruef, Michael Hicks, and David Tarditi. {n. d.}. Checked C: Making C safe by extension.
[17]
Michael Ernst. Accessed June 7, 2018. plume-lib. https://github.com/mernst/ plume-lib.
[18]
Michael D. Ernst. 2003. Static and dynamic analysis: Synergy and duality. In WODA 2003: Workshop on Dynamic Analysis. Portland, OR, USA, 24–27.
[19]
David Evans. 1996. Static detection of dynamic memory errors. In PLDI ’96: Proceedings of the SIGPLAN ’96 Conference on Programming Language Design and Implementation. Philadelphia, PA, USA, 44–53.
[20]
Manuel Fähndrich, Michael Barnett, and Francesco Logozzo. 2010. Embedded contract languages. In SAC 2010: Proceedings of the 2010 ACM Symposium on Applied Computing. Sierre, Switzerland, 2103–2110.
[21]
Manuel Fähndrich and Francesco Logozzo. 2010. Static contract checking with abstract interpretation. In International Conference on Formal Verification of Object-Oriented Software. Paris, France, 10–30.
[22]
James Finkle and Supriya Kurane. 2014. U.S. hospital breach biggest yet to exploit Heartbleed bug: expert. https://www.reuters.com/article/ us-community-health-cybersecurity-idUSKBN0GK0H420140820.
[23]
Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe, and Raymie Stata. 2002. Extended static checking for Java, See { 1 }, 234–245.
[24]
Jeffrey S. Foster, Tachio Terauchi, and Alex Aiken. 2002. Flow-sensitive type qualifiers, See { 1 }, 1–12.
[25]
David Gilbert. Accessed June 7, 2018. JFreeChart. https://github.com/jfree/ jfreechart.
[26]
Alberto Goffi, Alessandra Gorla, Andrea Mattavelli, Mauro Pezzè, and Paolo Tonella. 2014. Search-based synthesis of equivalent method sequences. In FSE 2014: Proceedings of the ACM SIGSOFT 22nd Symposium on the Foundations of Software Engineering. Hong Kong, 366–376.
[27]
Google Inc. Accessed June 7, 2018. Google Guava. https://github.com/google/ guava.
[28]
Brian Hackett, Manuvir Das, Daniel Wang, and Zhe Yang. 2006. Modular checking for buffer overflows in the large. In ICSE 2006, Proceedings of the 28th International Conference on Software Engineering. Shanghai, China, 232–241.
[29]
Reed Hastings and Bob Joyce. 1992. Purify: A tool for detecting memory leaks and access errors in C and C++ programs. In USENIX: Proceedings of the Winter 1992 USENIX Conference. San Francisco, CA, USA, 125–138.
[30]
Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R. Lorch, Bryan Parno, Michael L. Roberts, Srinath Setty, and Brian Zill. 2015. IronFleet: proving practical distributed systems correct. In SOSP 2015, Proceedings of the 23rd ACM Symposium on Operating Systems Principles. Monterey, CA, USA, 1–17.
[31]
Trevor Jim, J. Greg Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A safe dialect of C. In USENIX 2002: Proceedings of the 2002 USENIX Annual Technical Conference. Monterey, CA, USA, 275–288.
[32]
Cliff B. Jones. 1983. Tentative steps toward a development method for interfering programs. ACM Transactions on Programming Languages and Systems (TOPLAS) 5, 4 (1983), 596–619.
[33]
Vincent Laviron and Francesco Logozzo. 2011. SubPolyhedra: a family of numerical abstract domains for the (more) scalable inference of linear inequalities. Software Tools for Technology Transfer 13, 6 (2011), 585–601.
[34]
Gary T. Leavens, Erik Poll, Curtis Clifton, Yoonsik Cheon, Clyde Ruby, David Cok, Peter Müller, Joseph Kiniry, Patrice Chalin, Daniel M. Zimmerman, and Werner Dietl. 2013. JML Reference Manual.
[35]
K. Rustan M. Leino. 2010. Dafny: An automatic program verifier for functional correctness. In LPAR 2010: Proceedings of the 16th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning. Dakar, Senegal, 348–370.
[36]
K. Rustan M. Leino and Greg Nelson. 1998. An extended static checker for Modula-3. In CC ’98: Compiler Construction: 7th International Conference. Lisbon, Portugal, 302–305.
[37]
K. Rustan M. Leino and Clément Pit-Claudel. 2016. Trigger selection strategies to stabilize program verifiers. In CAV 2016: 28th International Conference on Computer Aided Verification. Toronto, Canada, 361–381.
[38]
Francesco Logozzo and Manuel Fähndrich. 2008. Pentagons: A weakly relational abstract domain for the efficient validation of array accesses. In SAC 2008: Proceedings of the 2008 ACM Symposium on Applied Computing. Fortaleza, Ceará, Brazil, 184–188.
[39]
Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2015. Everything you want to know about pointer-based checking. In SNAPL 2015: the Inaugural Summit oN Advances in Programming Languages. Asilomar, CA, USA, 190–208.
[40]
George C. Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. 2005. CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. 27, 3 (2005), 477–526.
[41]
Nicholas Nethercote and Julian Seward. 2007. Valgrind: A Framework for Heavyweight Dynamic Binary Insrumentation. In PLDI 2007: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation. San Diego, CA, USA, 89–100.
[42]
Serkan Özkan. 2018. CVE Details. https://www.cvedetails.com/ vulnerabilities-by-types.php. Summary of http://cve.mitre.org/.
[43]
Matthew M. Papi, Mahmood Ali, Telmo Luis Correa Jr., Jeff H. Perkins, and Michael D. Ernst. 2008. Practical pluggable types for Java. In ISSTA 2008, Proceedings of the 2008 International Symposium on Software Testing and Analysis. Seattle, WA, USA, 201–212.
[44]
Frank Pfenning. 1992. Dependent types in logic programming. In Types in Logic Programming, Frank Pfenning (Ed.). MIT Press, Cambridge, MA, Chapter 10, 285–311.
[45]
William Pugh. 1991. The Omega test: a fast and practical integer programming algorithm for dependence analysis. In Proceedings, Supercomputing ’91. Albuquerque, New Mexico, 4–13.
[46]
Feng Qian, Laurie Hendren, and Clark Verbrugge. 2002. A comprehensive approach to array bounds check elimination for Java. In CC 2002: Compiler Construction: 11th International Conference. Grenoble, France, 325–341.
[47]
Patrick M. Rondon, Ming Kawaguchi, and Ranjit Jhala. 2008. Liquid types. In PLDI 2008: Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation. Tucson, AZ, USA, 159–169.
[48]
Joseph Santino. 2016. Enforcing correct array indexes with a type system. In FSE 2016: Proceedings of the ACM SIGSOFT 24th Symposium on the Foundations of Software Engineering. Seattle, WA, USA, 1142–1144.
[49]
Norihisa Suzuki and Kiyoshi Ishihata. 1977. Implementation of an array bound checker. In POPL ’77: Proceedings of the Fourth Annual ACM Symposium on Principles of Programming Languages. Los Angeles, CA, 132–143.
[50]
David Tarditi. 2016. Extending C with bounds safety. https://github.com/ Microsoft/checkedc/releases/download/v0.6-final/checkedc-v0.6.pdf. Accessed: 2017-05-11. ISSTA’18, July 16–21, 2018, Amsterdam, Netherlands Martin Kellogg, Vlastimil Dort, Suzanne Millstein, and Michael D. Ernst
[51]
Shiyi Wei, Piotr Mardziel, Andrew Ruef, Jeffrey S. Foster, and Michael Hicks. 2018. Evaluating design tradeoffs in numeric static analysis for Java. In ESOP 2018: 27th European Symposium on Programming. Thessaloniki, Greece.
[52]
Hongwei Xi and Frank Pfenning. 1998. Eliminating array bound checking through dependent types. ACM SIGPLAN Notices 33, 5 (1998), 249–257.

Cited By

View all
  • (2024)Program Segment Testing for Human–Machine Pair ProgrammingInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819402450028134:10(1565-1591)Online publication date: 5-Jul-2024
  • (2023)Pluggable Type Inference for Free2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00186(1542-1554)Online publication date: 11-Sep-2023
  • (2022)ReftyProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510077(1843-1855)Online publication date: 21-May-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ISSTA 2018: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis
July 2018
379 pages
ISBN:9781450356992
DOI:10.1145/3213846
  • General Chair:
  • Frank Tip,
  • Program Chair:
  • Eric Bodden
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 July 2018

Permissions

Request permissions for this article.

Check for updates

Badges

Author Tags

  1. Checker Framework
  2. Index Checker
  3. Pluggable type systems

Qualifiers

  • Research-article

Conference

ISSTA '18
Sponsor:

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)23
  • Downloads (Last 6 weeks)1
Reflects downloads up to 18 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Program Segment Testing for Human–Machine Pair ProgrammingInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819402450028134:10(1565-1591)Online publication date: 5-Jul-2024
  • (2023)Pluggable Type Inference for Free2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00186(1542-1554)Online publication date: 11-Sep-2023
  • (2022)ReftyProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510077(1843-1855)Online publication date: 21-May-2022
  • (2019)Source Code Instrumentation Technique for Buffer Overflow Vulnerability DetectionThe Journal of Korean Institute of Information Technology10.14801/jkiit.2019.17.9.13317:9(133-144)Online publication date: 30-Sep-2019

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media