The Daikon invariant detector

1
The Daikon invariant detector
An Explanation and Demo by
Blake Ford
2
The Daikon invariant detector
Introductory Material
3
The Daikon invariant detector
A daikon is a type of Asian radish. Daikon is
pronounced like the two English words die-con.
The name stands for dynamic conjectures.
4
The Daikon invariant detector
5
The Daikon invariant detector
6
The Daikon invariant detector
7
The Daikon invariant detector
Demo Background Information
8
The Daikon invariant detector
Detecting invariants involves two steps 1.
Obtain one or more data trace files by running
your program under the control of a front end
(also known as an instrumenter or tracer) that
records information about variable values. You
may choose to obtain trace data for only part of
your program. This will avoid you becoming
inundated with output and can also improve
performance. 2. Run the Daikon invariant
detector over the data trace file. This detects
invariants in the recorded information. You can
view the invariants textually or process them
with a variety of tools. Note Many front ends
perform both of these steps via one command line
option.
9
The Daikon invariant detector
Official Front Ends Chicory Java
Kvasir Binary C/C Mangel-Wurzel
Source C/C dfepl Perl
convertcsv.pl Comma-separated-value
10
The Daikon invariant detector
Use the proper front end to produce a .dtrace
file and optional .decl and .spinfo files. After
creating these files, run the Daikon invariant
detector via the command java
daikon.Daikon flags dtrace-files...
decl-files... spinfo-files...
11
The Daikon invariant detector
For today's demo, I will be using binary C
instrumenter Kvasir.
12
The Daikon invariant detector
The Daikon invariant detector
Kvasir is named after the Norse god of
knowledge. In the Daikon package, it is only a
short script. It is closely tied to another
program called Fjarlar, which is also provided in
the package. According to Norse mythology,
Fjarlar killed Kvasir and turned his blood into
the mead of poetry.
Some aspects of this mythological relationship
are referenced in the Daikon realm. Fjarlar will
consume the information provided by the Kvasir
script and convert this data into useful input
for Daikon.
13
The Daikon invariant detector
Fjarlar is built upon the popular Valgrind
binary instrumentation framework. Valgrind is a
generic binary framework which gives it the
ability to work with programs compiled from any
language. Fjarlar helps optimize and filter the
typical, verbose Valgrind output to provide
specific, less redundant and more relevant C/C
debugging information for programs compiled with
DWARF2 debugging information.
14
The Daikon invariant detector
Inside the Kvasir script ../kvasir/inst/bin/valg
rind --toolfjalar ltapplication namegt
15
The Daikon invariant detector
The Demo
16
The Daikon invariant detector
I have found that the tracing works best with
global variables therefore all the variables of
interest are declared globally.

My test application is based upon the
implementation provided in the homework. P. 302
Problem 18 x gt 0 a
x y 1 while ( a gt 0 )
y y a a a -
1 y x!
17
The Daikon invariant detector

Some relevant properties we'd like to
verify in our implementation include
y x!
entry in the function xgt0
evidence of a loop invariant
18
The Daikon invariant detector
Daikon Output
..main()ENTER /x /a /x
/y /x 0 ..main()EXIT /
a return /a orig(/x)? /a orig(/a)? /a
orig(/y)? /x 5 /a 0 /y 120
..hw()ENTER /x /a /y
1 ..hw()EXIT /x
orig(/x)? /x orig(/a)? /y return /a 0
19
The Daikon invariant detector
..main()ENTER /x /a /x
/y /x 0
The first piece of information shows us that all
of our variables of concern are initialized to
zero.
20
The Daikon invariant detector
..hw()ENTER /x /a /y 1
This segment tells us that when we enter this
function we are always guaranteed these values.
This is useful, because with the transition to
global variables it is entirely possible to write
code which calls this function outside of its
original intent. This steps is like automatic
assignment axiom proof.
21
The Daikon invariant detector
..hw()EXIT /x orig(/x)? /x
orig(/a)? /y return /a 0
As we leave this function, x has not changed, y
is always returned, and a is equal to zero. /x
orig(/a) really adds nothing to our understand of
the application. However, it is an invariant.
22
The Daikon invariant detector
..main()EXIT /a
return /a orig(/x)? /a orig(/a)? /a
orig(/y)? /x 5 /a 0 /y 120
Upon leaving the program, we can assert the
constant, final state of our variables. The first
section of /a formulas are only coincidentally
true. The last three formulas are very important
and provide us with important data about the
final program state. 120 5! proving our
postcondition y x! /a 0 shows helps show our
loop completed.
23
The Daikon invariant detector
Daikon Output 2
..main()ENTER /x /a /x
/y /x 0 ..main()EXIT /a
return /a orig(/x)? /a orig(/a)? /a
orig(/y)? /x 4 /a 0 /y 24
..hw()ENTER /x /a /y
1 ..hw()EXIT /x
orig(/x)? /x orig(/a)? /y return /a 0
24
The Daikon invariant detector
The second data set shows that even though the
values of our variables changed, the important
inherent properties remained the same.
25
The Daikon invariant detector
Because Daikon only describes data in an Enter
and Exit context, you will get better results by
creating smaller, more specific functions.
26
The Daikon invariant detector
The Online Tutorial Wordplay
27
The Daikon invariant detector
The Daikon package contains an example of a
mid-size C application called Wordplay. The
program attempts to find anagrams with a given
set of words. I decided to not to use this
example for my demo, because it simply provided
to much output to explain clearly. However I did
want to quickly show it's output file.
28
The Daikon invariant detector
Real World Example Swaddler
http//groups.csail.mit.edu/pag/daikon/pubs/CovaB
FV2007-abstract.html
29
The Daikon invariant detector
Daikon is not entirely academic and has been put
to use in industry.
30
The Daikon invariant detector
Swaddler analyses the internal state of a web
application and learns the relationships between
the application' s critical execution points and
the application's internal state. By doing this,
Swaddler is able to identify attacks that attempt
to bring an application in an inconsistent,
anomalous state, such as violations of the
intended work flow of a web application.
31
The Daikon invariant detector
Swaddler uses Daikon to produce likely
invariants in a web based system and then
attempts to find execution paths which violate
them. This program has been used to evaluate the
security of web based programs in several
real-world applications.
32
The Daikon invariant detector
Conclusions
33
The Daikon invariant detector
Daikon(Kvasir) is a dynamic form of
verification, which is different from other tools
and methods we have studied. I liked this method,
because it helped with the synthesis portion of
my programming task by working with my compiled
code. Properties observed by Daikon are path
dependent and implementation, which implies some
level of assurance is lost. It seems reminiscent
of symbolic evaluation, and I would expect to
have similar strengths and weaknesses.
34
The Daikon invariant detector
Daikon Pros

• Output is easily readable
• Extendible
• Customizable
• Portable
• Usable in many programming environments
• Useful supplement to conventional testing

35
The Daikon invariant detector
Daikon(Kvasir) Cons

• Setup can be confusing
• Relies on obsolete components
• C front end is Linux only
• Programs need to be tailored for usable output
• No release mode support
• Out often contains useless invariants

36
The Daikon invariant detector
Questions?