Cristina Cifuentes

Java™ on the bare metal of wireless sensor devices: the squawk Java virtual machine

The Squawk virtual machine is a small Java™ virtual machine (VM) written mostly in Java that runs without an operating system on a wireless sensor platform. Squawk translates standard class file into an internal pre-linked, position independent format that is compact and allows for efficient execution of bytecodes that have been placed into a read-only memory. In addition, Squawk implements an application isolation mechanism whereby applications are represented as object and are therefore treated as first class objects (i.e., they can be reified). Application isolation also enables Squawk to run multiple applications at once with all immutable state being shared between the applications. Mutable state is not shared. The combination of these features reduce the memory footprint of the VM, making it ideal for deployment on small devices.Squawk provides a wireless API that allows developers to write applications for wireless sensor networks (WSNs), this API is an extension of the generic connection framework (GCF). Authentication of deployed files on the wireless device and migration of applications between devices is also performed by the VM.This paper describes the design and implementation of the Squawk VM as applied to the Sun™ Small Programmable Object Technology (SPOT) wireless device; a device developed at Sun Microsystems Laboratories for experimentation with wireless sensor and actuator applications.

Boosting the performance of flow-sensitive points-to analysis using value flow

Points-to analysis is a fundamental static analysis technique which computes the set of memory objects that a pointer may point to. Many different applications, such as security-related program analyses, bug checking, and analyses of multi-threaded programs, require precise points-to information to be effective. Recent work has focused on improving the precision of points-to analysis through flow-sensitivity and great progress has been made. However, even with all recent progress, flow-sensitive points-to analysis can still be much slower than a flow-insensitive analysis. In this paper, we propose a novel method that simplifies flow-sensitive points-to analysis to a general graph reachability problem in a value flow graph. The value flow graph summarizes dependencies between pointer variables, including those memory dependencies via pointer dereferences. The points-to set for each pointer variable can then be computed as the set of memory objects that can reach it in the graph. We develop an algorithm to build the value flow graph efficiently by examining the pointed-to-by set of a memory object, i.e., the set of pointers that point to an object. The pointed-to-by information of memory objects is very useful for applications such as escape analysis, and information flow analysis. Our approach is intuitive, easy to implement and very efficient. The implementation is around 2000 lines of code and it is more efficient than existing flow-sensitive points-to analyses. The runtime is comparable with the state-of-the-art flow-insensitive points-to analysis.

User-Input Dependence Analysis via Graph Reachability

Bug-checking tools have been used with some success in recent years to find bugs in software. For finding bugs that can cause security vulnerabilities, bug checking tools require a program analysis which determines whether a software bug can be controlled by user-input. In this paper we introduce a static program analysis for computing user-input dependencies. This analysis can be used as a pre-processing filter to a static bug checking tool for identifying bugs that can potentially be exploited as security vulnerabilities. In order for the analysis to be applicable to large commercial software in the millions of lines of code, runtime speed and scalability of the user-input dependence analysis is of key importance. Our user-input dependence analysis takes both data and control dependencies into account. We extend static single assignment (SSA) form by augmenting phi-nodes with control dependencies. A formal definition of user-input dependence is expressed in a dataflow analysis framework as a meet-over-all-paths (MOP) solution. We reduce the equation system to a sparse equation system exploiting the properties of SSA. The sparse equation system is solved as a reachability problem that results in a fast algorithm for computing user-input dependencies. We have implemented a call-insensitive and a call-sensitive analysis. The paper gives preliminary results on the comparison of their efficiency for various benchmarks.

The squawk virtual machine: Java™ on the bare metal

The Squawk virtual machine is a small Java(TM) VM written in Java that runs without an OS on small devices. Squawk implements an isolate mechanism allowing applications to be reified. Multiple isolates can run in the one VM, and isolates can be migrated between different instances of the VM.

Parfait: designing a scalable bug checker

We present the design of Parfait, a static layered program analysis framework for bug checking, designed for scalability and precision by improving false positive rates and scale to millions of lines of code. The Parfait framework is inherently parallelizable and makes use of demand driven analyses. In this paper we provide an example of several layers of analyses for buffer overflow, summarize our initial implementation for C, and provide preliminary results. Results are quantified in terms of correctly-reported, false positive and false negative rates against the NIST SAMATE synthetic benchmarks for C code.

A transformational approach to binary translation of delayed branches

A binary translator examines binary code for a source machine and generates code for a target machine. Understanding what to do with delayed branches in binary code can involve tricky case analyses, for example, if there is a branch instruction in a delay slot. This article presents a disciplined method for deriving such case analyses. The method identifies problematic cases, shows the translations for the nonproblematic cases, and gives confidence that all cases are considered. The method supports such common architectures as SPARC, MIPS, and PA-RISC, and it should apply to any tool that analyzes machine instructions. We begin by writing a very simple interpreter for the source machines code. We then transform the interpreter into an interpreter for a target machine without delayed branches. To maintain the semantics of the program being interpreted, we simultaneously transform the sequence of source-machine instructions into a sequence of target-machine instructions. The transformation of the instructions becomes our algorithm for binary translation.

Computer security analysis through decompilation and high-level debugging

The extensive use of computers and networks worldwide has raised the awareness of the need for tools and techniques to aid in computer security analysis of binary code, such as the understanding of viruses, trojans, worms, backdoors and general security flaws, in order to provide immediate solutions with or without the aid of software vendors. The paper is a proposal for a high-level debugging tool to be used by computer security experts, which will reduce the amount of time needed to solve security-related problems in executable programs. The current state of the art involves the tracing of thousands of lines of assembly code using a standard debugger. A high-level debugger would be capable of displaying a high-level representation of an executable program in the C language, hence reducing the number of lines that need to be inspected by an order of magnitude (i.e. hundreds instead of thousands of lines). Effectively, these techniques will help in reducing the amount of time needed to trace a security flaw in an executable program, as well as reducing the costs of acquiring or training skilled assembler engineers.

Dynamic binary translation using run-time feedbacks

Dynamic binary translation is the process of translating, modifying and rewriting executable (binary) code from one machine to another at run-time. This process of low-level re-engineering consists of a reverse engineering phase followed by a forward engineering phase.UQDBT, the University of Queensland Dynamic Binary Translator, is a machine-adaptable translator. Adaptability is provided through the specification of properties of machines and their instruction sets, allowing the support of different pairs of source and target machines. Most binary translators are closely bound to a pair of machines, making analyses and code hard to reuse.Like most virtual machines, UQDBT performs generic optimizations that apply to a variety of machines. Frequently executed code is translated to native code by the use of edge weight instrumentation, which makes UQDBT converge more quickly than systems based on instruction speculation.In this paper, we describe the architecture and run-time feedback optimizations performed by the UQDBT system, and provide results obtained in the x86 and SPARC® platforms.

Precise and scalable context-sensitive pointer analysis via value flow graph

In this paper, we propose a novel method for context-sensitive pointer analysis using the value flow graph (VFG) formulation. We achieve context-sensitivity by simultaneously applying function cloning and computing context-free language reachability (CFL-reachability) in a novel way. In contrast to existing clone-based and CFL-based approaches, flow-sensitivity is easily integrated in our approach by using a flow-sensitive VFG where each value flow edge is computed in a flow-sensitive manner. We apply context-sensitivity to both local variables and heap objects and propose a new approximation for heap cloning. We prove that our approach can achieve context-sensitivity without loss of precision, i.e., it is as precise as inlining all function calls. We develop an efficient algorithm and implement a context-, flow-, and field-sensitive pointer analysis with heap cloning support in LLVM. We evaluate the efficiency and precision of our implementation using standard SPEC CPU2006 benchmarks. Our experimental results show that the analysis is much faster than existing approaches, it scales well to large real-world applications, and it enables more effective compiler optimizations.

Transitioning Parfait into a Development Tool

The Parfait static-code-analysis tool started as a research project at Sun Labs (now Oracle Labs) to address runtime and precision shortcomings of C and C++ static-code-analysis tools. After developers started to see and verify the research outcomes, they made further requests to ensure the tool would be easy to use and integrate. This helped transition Parfait from a research artifact to a developer tool. Developers use Parfait daily to prevent the introduction of defects into code bases and to report defects in existing code. Several organizations at Oracle have integrated it into build processes.