String Analysis For Software Verification And Security

This book discusses automated string-analysis techniques, focusing particularly on automata-based static string analysis. It covers the following topics: automata-bases string analysis, computing pre and post-conditions of basic string operations using automata, symbolic representation of automata, forward and backward string analysis using symbolic automata representation, constraint-based string analysis, string constraint solvers, relational string analysis, vulnerability detection using string analysis, string abstractions, differential string analysis, and automated sanitization synthesis using string analysis. String manipulation is a crucial part of modern software systems; for example, it is used extensively in input validation and sanitization and in dynamic code and query generation. The goal of string-analysis techniques and this book is to determine the set of values that string expressions can take during program execution. String analysis can be used to solve many problems in modern software systems that relate to string manipulation, such as: (1) Identifying security vulnerabilities by checking if a security sensitive function can receive an input string that contains an exploit; (2) Identifying possible behaviors of a program by identifying possible values for dynamically generated code; (3) Identifying html generation errors by computing the html code generated by web applications; (4) Identifying the set of queries that are sent to back-end database by analyzing the code that generates the SQL queries; (5) Patching input validation and sanitization functions by automatically synthesizing repairs illustrated in this book. Like many other program-analysis problems, it is not possible to solve the string analysis problem precisely (i.e., it is not possible to precisely determine the set of string values that can reach a program point). However, one can compute over- or under-approximations of possible string values. If the approximations are precise enough, they can enable developers to demonstrate existence or absence of bugs in string manipulating code. String analysis has been an active research area in the last decade, resulting in a wide variety of string-analysis techniques. This book will primarily target researchers and professionals working in computer security, software verification, formal methods, software engineering and program analysis. Advanced level students or instructors teaching or studying courses in computer security, software verification or program analysis will find this book useful as a secondary text.

This book provides an overview about the open challenges in software verification. Software verification is a branch of software engineering aiming at guaranteeing that software applications satisfy some requirements of interest. Over the years, the software verification community has proposed and considered several techniques: abstract interpretation, data-flow analysis, type systems, model checking are just a few examples. The theoretical advances have been always motivated by practical challenges that have led to an equal evolution of both these sides of software verification. Indeed, several verification tools have been proposed by the research community and any software application, in order to guarantee that certain software requirements are met, needs to integrate a verification phase in its life cycle, independently of the context of application or software size. This book is aimed at collecting contributions discussing recent advances in facing open challenges in software verification, relying on a broad spectrum of verification techniques. This book collects contributions ranging from theoretical to practical arguments, and it is aimed at both researchers in software verification and their practitioners.

This book constitutes the proceedings of the 23rd International Conference on Verification, Model Checking, and Abstract Interpretation, VMCAI 2022, which took place in Philadelphia, PA, USA, in January 2022. The 22 papers presented in this volume were carefully reviewed from 48 submissions. VMCAI provides a forum for researchers working on verification, model checking, and abstract interpretation and facilitates interaction, cross-fertilization, and advancement of hybrid methods that combine these and related areas.

This book constitutes the refereed proceedings of the 26th International Symposium on Model Checking Software, SPIN 2019, held in Beijing, China, in July 2019. The 11 full papers presented and 2 demo-tool papers, were carefully reviewed and selected from 29 submissions. Topics covered include formal verification techniques for automated analysis of software; formal analysis for modeling languages, such as UML/state charts; formal specification languages, temporal logic, design-by-contract; model checking, automated theorem proving, including SAT and SMT; verifying compilers; abstraction and symbolic execution techniques; and much more.

This book constitutes the proceedings of the 17th Asian Symposium on Programming Languages and Systems, APLAS 2019, held in Nusa Dua, Bali, Indonesia, in December 2019. The 22 papers presented in this volume were carefully reviewed and selected from 50 submissions. They were organized in topical sections named: Invited Papers, Types, Program Analysis, Semantics, Language Design and Implementation, Concurrency, Verification, and Logic and Automata.

Recent decades have seen major advances in methods and tools for checking the safety and security of software systems. Automatic tools can now detect security flaws not only in programs of the order of a million lines of code, but also in high-level protocol descriptions. There has also been something of a breakthrough in the area of operating system verification. This book presents the lectures from the NATO Advanced Study Institute on Tools for Analysis and Verification of Software Safety and Security; a summer school held at Bayrischzell, Germany, in 2011. This Advanced Study Institute was divided into three integrated modules: Foundations of Safety and Security, Applications of Safety Analysis and Security Analysis. Subjects covered include mechanized game-based proofs of security protocols, formal security proofs, model checking, using and building an automatic program verifier and a hands-on introduction to interactive proofs. Bringing together many leading international experts in the field, this NATO Advanced Study Institute once more proved invaluable in facilitating the connections which will influence the quality of future research and the potential to transfer research into practice. This book will be of interest to all those whose work depends on the safety and security of software systems.

This book constitutes the refereed proceedings of the 13th International Conference on Combinatorics on Words, WORDS 2021, held virtually in September 2021. The 14 revised full papers presented in this book together with 2 invited talks were carefully reviewed and selected from 18 submissions. WORDS is the main conference series devoted to the mathematical theory of words. In particular, the combinatorial, algebraic and algorithmic aspects of words are emphasized. Motivations may also come from other domains such as theoretical computer science, bioinformatics, digital geometry, symbolic dynamics, numeration systems, text processing, number theory, etc.

This book constitutes the proceedings of the 26th International Conference on Developments in Language Theory, DLT 2022, which was held in Tampa, FL, USA, during May, 2022. The conference took place in an hybrid format with both in-person and online participation. The 21 full papers included in these proceedings were carefully reviewed and selected from 32 submissions. The DLT conference series provides a forum for presenting current developments in formal languages and automata.