基于抽象解释的Prolog程序验证技术研究

作为一种通用的语义近似理论,抽象解释已广泛应用于各类程序的形式化验证中.现有基于抽象解释的逻辑程序验证技术未涉及与程序点相关联的程序性质的验证,设计能够描述此类性质的逻辑程序具体语义和抽象语义是构造相应验证工具的关键.本文给出了一种基于抽象解释的Prolog程序验证方法,该方法采用了具有路径信息的Prolog语义及其抽象作为语义基础,因而可用于验证与程序点相关联的程序特性.本文例子表明了该验证方法的有效性.     

图卷积网络的抗混淆安卓恶意软件检测

自安卓发布以来,由于其开源、硬件丰富和应用市场多样等优势,安卓系统已经成为全球使用最广泛的手机操作系统。同时,安卓设备和安卓应用的爆炸式增长也使其成为96%移动恶意软件的攻击目标。现存的安卓恶意软件检测方法中,忽视程序语义而直接提取简单程序特征的方法检测速度快但精确度不理想,将程序语义转换为图模型并采用图分析的方法精确度高但开销大且扩展性低。为了解决上述挑战,本文将应用的程序语义提取为函数调用图,保留语义信息的同时采用抽象API技术将调用图转换为抽象图以减少运行开销并增强鲁棒性。基于得到的抽象图,以Triplet Loss损失训练构建基于图卷积神经网络的抗混淆安卓恶意软件分类器SriDroid。对20246个安卓应用进行实验分析之后,发现SriDroid可以达到99.17%的恶意软件检测精确度,并具有良好的鲁棒性。     

基于抽象解释的迹划分技术研究

确保程序中没有运行时错误,对于软件安全性的保证十分重要。基于抽象解释的静态分析方法对程序语义进行抽象,是验证运行时错误最合适的形式化方法之一。然而抽象解释对于程序语义的抽象可能导致过近似问题,从而引发误报,降低了分析精度。因此提出了迹划分的技术,根据程序的迹对程序控制流图进行划分,对静态分析过程进行局部细化,减少了抽象解释过程中过近似引发的误报。迹划分技术以局部分析效率降低为代价换来了分析精度的提高。     

代码迷惑及其有效性研究*

代码迷惑（保护程序的一种手段）通过增加程序的分析理解难度来阻止攻击者对代码进行有用的窜改。从攻击视角指出,盲目采用代码迷惑并不能有效增强程序安全性,而根据攻击模型,从多个角度综合运用各种码迷惑方法将能有效提高程序安全。随后建立攻击模型,将攻击描述为一个不断提取程序信息并据此分析具体语义,进而通过抽象和判断获取抽象语义的过程,并从攻击各层面出发引入相应的代码迷惑方法,进而保护代码安全。     

一类恶意代码检测算法可靠性与完备性证明

代码迷惑可以使恶意代码绕过基于特征匹配的恶意代码检测器的检测.本文利用抽象解释理论,从程序语义的角度对高鹰等人提出的基于语义的恶意代码检测算法处理代码迷惑的能力进行了分析.在对该算法形式化描述的基础上,建立了一个与其等价的基于迹语义的检测器,并通过证明基于迹语义的检测器对于保持变体关系的代码迷惑算法的谕示可靠性和谕示完备性,从理论上阐述了高鹰等人的恶意代码检测算法的谕示可靠性和谕示完备性.     

通过抽象程序证明复杂具体程序

本文描述了证明抽象程序和具体程序满足一致性关系的方法.抽象程序使用抽象数据结构（ADTs）如set、list、map及其上的操作.具体程序使用类C语言中的类型.抽象程序和具体程序一致性证明需要用户给出抽象变量和具体变量的关系,抽象程序程序点和具体程序程序点的对应关系.基于对应关系,抽象程序和具体程序一致性证明可以分解,从而容易并可能自动证明.     

基于局部堆内存抽象表示的堆操作程序内存泄露检测

堆操作程序通过共享易变数据结构可灵活地申请、合并、删除堆内存.这类程序的内存泄漏检测要求精确的域敏感的指针别名信息,变得尤其复杂和难以处理.针对这个问题,提出了基于"指针扩展类型"域敏感的堆内存抽象方法,对指针变量在形态上的排列关系进行抽象以支持堆的局部推理.首先,定义了各种基本语句的操作语义,然后基于该抽象方法采用前向数据流迭代算法提出了一种新的内存泄露检测算法.在Crystal编译框架下实现了面向C程序的内存泄漏检测原型工具Heapcheck,该工具支持复杂数据结构内指针型数据域上的内存泄露检测.在典型基准C程序上的实验结果分析表明,该方法与现有的技术相比在效率和精度上都具有优势.     

基于Token语义构建的代码克隆检测

传统的基于Token的克隆检测方法利用代码字符串的序列化特性, 可以在大型代码仓中快速检测克隆. 但是与基于抽象语法树(AST)、程序依赖图(PDG)的方法相比, 由于缺少语法及语义信息, 针对文本有较大差异的克隆代码检测困难. 为此, 提出一种赋予语义信息的Token克隆检测方法. 首先, 分析抽象语法树, 使用AST路径抽象位于叶子节点的Token的语义信息; 然后, 在函数名和类型名角色的Token上建立低成本索引, 达到快速并有效地筛选候选克隆片段的目的. 最后, 使用赋予语义信息的Token判定代码块之间的相似性. 在公开的大规模数据集BigCloneBench实验结果表明, 该方法在文本相似度较低的Moderately Type-3和Weakly Type-3/Type-4类型克隆上显著优于主流方法, 包括NiCad、Deckard、CCAligner等, 同时在大型代码仓上需要更少的检测时间.     

目标独立的Prolog程序路径依赖分析语义

在Prolog程序分析中,考虑程序的执行路径和非逻辑的cut操作可提高程序分析的精度.当前用于Prolog程序路径依赖分析的语义因依赖于程序执行的目标而不适合目标独立的程序分析.为此,本文采用了一种携带路径信息并允许cut操作的Prolog抽象语法,在此基础上给出了Prolog的操作语义和一种目标独立的标号树(LT)语文,并证明了LT语义相对于操作语义的正确性.LT语义可作为目标独立的Prolog程序路径依赖分析的基础.     

基于混合特征的恶意安卓程序检测方法

安卓系统的恶意程序数量多且危害大,研究相应的检测方法是当前研究热点。现有方法仅单独提取语法或语义特征,难以准确刻画恶意程序的攻击意图。提出一种混合提取语法和语义特征的检测方法,语义特征为基于类抽象的污点传播路径集合,并结合权限声明和Intent-Action等语法特征,对特征规范化后应用K-means算法训练样本集生成恶意程序家族的特征向量,应用欧氏距离检测未知程序与特征向量的相似度。基于FlowDroid实现原型系统,对400个真实程序的分析结果表明该方法有较高的精确度。     

Blaming the client: on data refinement in the presence of pointers

Data refinement is a common approach to reasoning about programs, based on establishing that a concrete program indeed satisfies all the required properties imposed by an intended abstract pattern. Reasoning about programs in this setting becomes complex when use of pointers is assumed and, moreover, a well-known method for proving data refinement, namely the forward simulation method, becomes unsound in presence of pointers. The reason for unsoundness is the failure of the “lifting theorem” for simulations: that a simulation between abstract and concrete modules can be lifted to all client programs. The result is that simulation does not imply that a concrete can replace an abstract module in all contexts. Our diagnosis of this problem is that unsoundness is due to interference from the client programs. Rather than blame a module for the unsoundness of lifting simulations, our analysis places the blame on the client programs which cause the interference: when interference is not present, soundness is recovered. Technically, we present a novel instrumented semantics which is capable of detecting interference between a module and its client. With use of special simulation relations, namely growing relations, and interpreting the simulation method using the instrumented semantics, we obtain a lifting theorem. We then show situations under which simulation does indeed imply refinement.     

Instruction-level security typing by abstract interpretation

We present a method based on abstract interpretation to check secure information flow in programs with dynamic structures where input and output channels are associated with security levels. In the concrete operational semantics each value is annotated by a security level dynamically taking into account both the explicit and the implicit information flows. We define a collecting semantics which associates with each program point the set of concrete states of the machine when the point is reached. The abstract domains are obtained from the concrete ones by keeping the security levels and forgetting the actual values. Using this framework, we define an abstract semantics, called instruction-level security typing, that allows us to certify a larger set of programs with respect to the typing approaches to check secure information flow. An efficient implementation is shown, operating a fixpoint iteration similar to that of the Java bytecode verification. This work was partially supported by the Italian COFIN 2004 project “AIDA: Abstract Interpretation Design and Application”.     

一种面向堆操作程序内存安全性的域敏感内存模型

堆操作程序具有通过共享易变数据结构动态操纵堆内存单元的特性,使得内存安全性难以保证。针对这个问题,提出了一种域敏感的k-limit内存抽象模型,以支持动态调整抽象的粒度,取得静态分析在精度和效率上的平衡。分别从框架、性质、操作方面介绍了该内存模型,然后结合内存安全性的定义,在基于该模型的操作语义框架内定义了4种与内存安全性相关的错误类型,最后设计了基于该模型内存安全性检测的数据流迭代算法。     

A Semantic Design Method

A system design method where the computer system is adapted to user semantics is described. In the method, user semantics are defined as abstract objects using special languages. Both user data semantics and user operations are defined. A translator converts the abstract definitions into internal machine storage representation and machine instructions. Users can then include the defined operations in user programs. Execution of the user operations transforms the internal state consistently with the definition of the operations.     

Non-Standard Semantics for Program Slicing

In this paper we generalize the notion of compositional semantics to cope with transfinite reductions of a transition system. Standard denotational and predicate transformer semantics, even though compositional, provide inadequate models for some known program manipulation techniques. We are interested in the systematic design of extended compositional semantics, observing possible transfinite computations, i.e. computations that may occur after a given number of infinite loops. This generalization is necessary to deal with program manipulation techniques modifying the termination status of programs, such as program slicing. We include the transfinite generalization of semantics in the hierarchy developed in 1997 by P. Cousot, where semantics at different levels of abstraction are related with each other by abstract interpretation. We prove that a specular hierarchy of non-standard semantics modeling transfinite computations of programs can be specifiedin such a way that the standard hierarchy can be derived by abstract interpretation. We prove that non-standard transfinite denotational and predicate transformer semantics can be both systematically derived as solutions of simple abstract domain equations involving the basic operation of reduced power of abstract domains. This allows us to prove the optimality of these semantics, i.e. they are the most abstract semantics in the hierarchy which are compositional and observe respectively the terminating and initial states of transfinite computations, providing an adequate mathematical model for program manipulation.     

Instruction-level security analysis for information flow in stack-based assembly languages

We propose a method to analyze secure information flow in stack-based assembly languages, communicating with the external environment by means of input and output channels. The method computes for each instruction a security level for each memory variable and stack element. Instruction-level security analysis is flow-sensitive and hence is more precise than other analyses, such as standard security typing. Instruction-level security analysis is specified in the framework of abstract interpretation. We define concrete operational semantics which handles, in addition to execution aspects, the flow of information of the program. The basis of the approach is that each value is annotated by a security level and that the abstract domain is obtained from the concrete one by keeping the security levels and forgetting the actual values. Operand stack are abstracted as fixed-length stacks of security levels. An abstract state is a map from instructions to abstract machine configurations, where values are substituted by security levels. The abstract semantics consists of a set of abstract rules manipulating abstract states. The instruction-level security typing can be performed by an efficient fixpoint iteration algorithm, similar to that used by bytecode verification.     

Path Dependent Analysis of Logic Programs

This paper presents an abstract semantics that uses information about execution paths to improve precision of data flow analyses of logic programs. The abstract semantics is illustrated by abstracting execution paths using call strings of fixed length and the last transfer of control. Abstract domains that have been developed for logic program analyses can be used with the new abstract semantics without modification.     

基于模型驱动的实时嵌入式系统

随着实时嵌入式系统的功能越来越复杂,现有的软硬件分离、软硬件协调等实时系统设计方法已经无法满足其系统实现的要求.本文根据模型驱动开发架构MDA和模型集成开发MIC的核心思想,将时间语义结合服务体/执行流（Servant/Exe-Flow Model,简称SEFM）模型,提出了一种基于模型驱动的实时系统设计方法.首先,本文给出了SEFM模型的元模型表达系统的抽象语义,同时使用XML语言和框图语言来描述SEFM模型的具体语法.结合XML解析技术,根据同一抽象语法的不同具体语法能够相互转化,实现了框图语言的代码生成,最后以实时跟车系统设计方案表明该系统实现方法的可行性和正确性.