Kasper Søe Luckow

Exact and approximate probabilistic symbolic execution for nondeterministic programs

Probabilistic software analysis seeks to quantify the likelihood of reaching a target event under uncertain environments. Recent approaches compute probabilities of execution paths using symbolic execution, but do not support nondeterminism. Nondeterminism arises naturally when no suitable probabilistic model can capture a program behavior, e.g., for multithreading or distributed systems. In this work, we propose a technique, based on symbolic execution, to synthesize schedulers that resolve nondeterminism to maximize the probability of reaching a target event. To scale to large systems, we also introduce approximate algorithms to search for good schedulers, speeding up established random sampling and reinforcement learning results through the quantification of path probabilities based on symbolic execution. We implemented the techniques in Symbolic PathFinder and evaluated them on nondeterministic Java programs. We show that our algorithms significantly improve upon a state-of-the-art statistical model checking algorithm, originally developed for Markov Decision Processes.

WCET analysis of Java bytecode featuring common execution environments

We present a novel tool for statically determining the Worst Case Execution Time (WCET) of Java Bytecode-based programs called Tool for Execution Time Analysis of Java bytecode (TetaJ). This tool differentiates itself from existing tools by separating the individual constituents of the execution environment into independent components. The prime benefit is that it can be used for execution environments featuring common embedded processors and software implementations of the JVM. TetaJ employs a model checking approach for statically determining WCET where the Java program, the JVM, and the hardware are modelled as Networks of Timed Automata (NTA) and given as input to the state-of-the-art UPPAAL model checking tool. The tool is evaluated through a case study based on the classic text-book example of a hard real-time control system in a mine pump. The system is hosted on an execution environment featuring an interpretation-based JVM, called Hardware near Virtual Machine (HVM) that runs on an Atmel AVR ATmega2560 processor.

HVMTP: A Time Predictable and Portable Java Virtual Machine for Hard Real-Time Embedded Systems

We present HVMTP, a time predictable and portable Java Virtual Machine (JVM) implementation with applications in resource-constrained, hard real-time embedded systems, which implements the Safety Critical Java (SCJ) Level 1 specification. Time predictability is achieved by a combination of time predictable algorithms, exploiting the programming model of the SCJ profile, and harnessing static knowledge of the hosted SCJ system. This paper presents HVMTP in terms of its design and capabilities, and demonstrates how a complete timing model of the JVM represented as a Network of Timed Automata can be obtained using the tool TetaSARTSJVM. The timing model readily integrates with the rest of the TetaSARTS tool-set for temporal verification of SCJ systems. We will also show how a complete timing scheme in terms of safe Worst Case Execution Times and Best Case Execution Times of the Java Bytecodes can be derived from the model.

TetaSARTS: a tool for modular timing analysis of safety critical Java systems

We describe the design and the capabilities of the static timing analysis tool TetaSARTS that assists in temporal verification of Safety Critical Java (SCJ) systems. The primary functionality of TetaSARTS is schedulability analysis, which takes into account the scheduling policy and task interactions. TetaSARTS also facilitates analysing processor utilisation and idle time, Worst Case Execution Time, Worst Case Response Time, and Worst Case Blocking Time. In the analyses, TetaSARTS accounts for the execution environment hosting the analysed system; both hardware implementations of the Java Virtual Machine as well as software implementations hosted on common embedded hardware are supported. Several parameters of the execution environment can be adjusted prior to performing the analyses e.g. the clock frequency of the hardware. The enabling technology for supporting the analyses and for achieving high flexibility is model checking. In a process resembling the stages of an optimising compiler, TetaSARTS translates the SCJ system into a Network of Timed Automata amenable to model checking using the Uppaal model checker.

Towards harnessing theories through tool support for hard real-time Java programming

We present a rationale for a selection of tools that assist developers of hard real-time applications to verify that programs conform to a Java real-time profile and that platform-specific resource constraints are satisfied. These tools are specialised instances of more generic static analysis and model checking frameworks. The concepts are illustrated by two case studies, and the strengths and the limitations of the tools are discussed.

JDart: A Dynamic Symbolic Analysis Framework

We describe JDart, a dynamic symbolic analysis framework for Java. A distinguishing feature of JDart is its modular architecture: the main component that performs dynamic exploration communicates with a component that efficiently constructs constraints and that interfaces with constraint solvers. These components can easily be extended or modified to support multiple constraint solvers or different exploration strategies. Moreover, JDart has been engineered for robustness, driven by the need to handle complex NASA software. These characteristics, together with its recent open sourcing, make JDart an ideal platform for research and experimentation. In the current release, JDart supports the CORAL, SMTInterpol, and Z3 solvers, and is able to handle NASA software with constraints containing bit operations, floating point arithmetic, and complex arithmetic operations e.g., trigonometric and nonlinear. We illustrate how JDart has been used to support other analysis techniques, such as automated interface generation and testing of libraries. Finally, we demonstrate the versatility and effectiveness of JDart, and compare it with state-of-the-art dynamic or pure symbolic execution engines through an extensive experimental evaluation.

HVMTP: A time predictable and portable java virtual machine for hard real‐time embedded systems

We present HVMTP, a time predictable and portable Java virtual machine (JVM) implementation with applications in resource‐constrained, hard real‐time embedded systems, which implements all levels of the safety critical Java (SCJ) specification. Time predictability is achieved by a combination of time‐predictable algorithms, exploiting the programming model of the SCJ profile and harnessing static knowledge of the hosted SCJ system. This paper presents HVMTP in terms of its design and capabilities and demonstrates how a complete timing model of the JVM represented as a network of timed automata can be obtained using the tool TETASARTSJVM. The timing model readily integrates with the rest of the TETASARTS tool set for temporal verification of SCJ systems. We will also show how a complete timing scheme in terms of safe worst‐case execution times and best‐case execution times of the Java bytecodes can be derived from the model. Furthermore, we take a first look at how to support the new Java 8 language feature of Lambda expressions in a SCJ context – we look in particular at how the invokedynamic bytecode can be implemented in a time‐predictable way and integrated in HVMTP. Copyright

Symbolic PathFinder v7

We describe Symbolic PathFinder v7 in terms of its updated design addressing the changes of Java PathFinder v7 and of its new optimization when computing path conditions. Furthermore, we describe the Symbolic Execution Tree Extension; a newly added feature that allows for outputting the symbolic execution tree that characterizes the execution paths covered during symbolic execution. The new extension can be tailored to the needs of subsequent analyses/processing facilities, and we demonstrate this by presenting SPF-Visualizer, which is a tool for customizable visualization of the symbolic execution tree.

Bluetooth Indoor Positioning System using Fingerprinting

Indoor Positioning has been an active research area in the last decade, but so far, commercial Indoor Positioning Systems (IPSs) have been sparse. The main obstacle towards widely available IPSs has been the lack of appropriate, low cost technologies, that enable indoor positioning. While Wi-Fi infrastructures are ubiquitous, consumer-oriented Wi- Fi enabled mobile phones have been missing. Conversely, while Bluetooth technology is present in the vastmajority of consumermobile phones,Bluetooth infrastructures have been missing. Bluetooth infrastructures have typically been installed as part of complete hardware-/software IPSs that often incur a substantial hardware cost. Furthermore, Bluetooth has low power consumption compared to Wi-Fi devices, which promotes longer battery life-time on mobile phones. In this paper, we present a Bluetooth IPS based entirely on commodity-grade products. The positioning accuracy is evaluated by using the so-called location fingerprinting technique which is well-known from Wi-Fi positioning literature. The results show that 2 meters median accuracy is achievable - a result that compares favourably to results for Wi-Fi based systems.

POSTER: AFL-based Fuzzing for Java with Kelinci

Grey-box fuzzing is a random testing technique that has been shown to be effective at finding security vulnerabilities in software. The technique leverages program instrumentation to gather information about the program with the goal of increasing the code coverage during fuzzing, which makes gray-box fuzzers extremely efficient vulnerability detection tools. One such tool is AFL, a grey-box fuzzer for C programs that has been used successfully to find security vulnerabilities and other critical defects in countless software products. We present Kelinci, a tool that interfaces AFL with instrumented Java programs. The tool does not require modifications to AFL and is easily parallelizable. Applying AFL-type fuzzing to Java programs opens up the possibility of testing Java based applications using this powerful technique. We show the effectiveness of Kelinci by applying it on the image processing library Apache Commons Imaging, in which it identified a bug within one hour.