Generating and Inferring Interface Properties for Static Analysis

Software robustness and security are critical to dependable operations of computer systems. Robustness and security of software systems are governed by various temporal properties. Static verification has been shown to be effective in checking temporal properties. But manually specifying these properties is cumbersome and requires knowledge of the system and source code. Furthermore, many system-specific correctness properties that govern the robust and secure operation of software systems are often not documented by the developers. We design and implement a novel framework to effectively generate a large number of concrete interface robustness properties for static verification from a few generic, high-level user specified robustness rules for exception handling. These generic rules are free from any system or interface details, which are automatically mined from the source code. We report our experience of applying this framework to test robustness of POSIX-APIs in Redhat-9.0 open source packages. Security properties that dictate the ordering of certain system calls are usually inter-procedural unlike robustness properties. In this paper, we present our ongoing research that infers these properties directly from the program source code by applying statistical analysis on model checking traces. We are implementing our ideas in an existing static analyzer that employs pushdown model checking and the gcc compiler.