Statistical Reasoning About Programs

Statistical Reasoning  
about Programs

Marcel Böhme, Max Planck Institute for Security and Privacy & Monash University · ICSE’22 · Statistical Reasoning about Programs
Program Analysis Problem
Are there any bugs? Where are they located? What is the
average execution performance? Where are the bottlenecks?
Is there any information
fl
ow from a sensitive source to a
public sink? Does this commit introduce any bugs? Do these
pointers point to the same memory location? What is the
type of this variable? Is this program statement reachable?
What are the typical values of this variable? Can this
assertion be violated?

• Program consists of a set of instructions for the machine.

• Formal syntax describes the structure of all programs.

• Formal semantics describes what the machine should do
Formal Reasoning about Programs

• To formally reason about a program means

• (i) to interpret its instructions according to the given semantic rules,

• (ii) to derive a model of computation that describes the relationship
between the inputs and outputs of that program, and

• (iii) to compute the property of interest within this model of computation.

October 1969

October 1969 Only people in academic
or research institutions had
the opportunity for single-
person use of a computer.

• Advantages

• Analyze and formally guarantee universal properties that hold for all inputs.

• Analyze the program irrespective of the machine it is running on.

• Analyze the program at any level of abstraction (need not be executable).

• Disadvantages

• Many interesting program analysis problems are undecidable.

• The model of computation may be incomplete or incorrect.

• Some code may only be available at runtime: re
fl
ection, dynamic loading, libs

• The compiler / interpreter may resolve unde
fi
ned behavior.

• Disadvantages



fl

fi
ned behavior.

• The analysis must make assump- 
tions about the machine.

• Disadvantages



fl

fi
ned behavior.

• The analysis must make assumptions about the machine.

• For scalability, tool builders trade soundness or completeness.

• False positives: Reports bugs (properties) that do not exist.

• False negatives: Fails to report bugs (properties) that do exist.

• Many achievements in practice!

• Industry-grade static analysis tools

• Google ErrorProne (routinely analyzes Google’s 2 billion LoC code base)

• Github CodeQL (security code scanning at Github scale)

• Facebook Infer (substantial success in
fi
nding bugs at Facebook scale)

• Formal veri
fi
cation of an entire OS microkernel (seL4).

• Yet, for practical program analysis there are no more guarantees.

• No soundness: We report bugs that don’t exist.

• No completeness: We do not report bugs that do.
July 2021

July 2021


We can’t seem to quantify the degree  
to which our analyses are incorrect!

• Scale-oblivious, sampling-based, in vivo program analysis.

• Observational setting:

• Observe the program property for a random sample of executions.

• Experimental setting:

• Iteratively generate and validate hypotheses about the property  
by modifying & comparing “copies” of a random sample of executions.
Statistical Reasoning about Programs

• Statistical Reasoning allows us to extrapolate

• from properties of sample executions to properties of the population.

• with quanti
fi
able accuracy for systems of arbitrary size.

• Better e
ffi
ciency can be obtained by a lower sampling rate.

• However, the guarantees remain in tact during the trade!

• To be clear, there are many statistical challenges to be tackled!

• Provides us with a new lens for the program analysis problem.

• Measuring properties of systems of arbitrary size and measuring the
degree of uncertainty is the backbone of any statistical analysis.

• Today, we have the technology:

• Virtualization (hypervisors): Google-wide pro
fi
ling (GWP), GWP-ASAN.

• Today, we have the technology:

• Virtualization (hypervisors): Google-wide pro
fi
ling (GWP), GWP-ASAN.

• Compiler passes: instrument any program you compile (e.g., ASAN)

• Open-source OS kernel (e.g., ecosystem-wide bug
fi
nding; KFence).

• Hardware-assisted program analysis (ARM memory tagging).

• Opportunities:

• Foundations of statistical reasoning about programs.

• Integration of formal and statistical reasoning.

• Novel scale-oblivious program analysis techniques.

• Opportunities:




• Challenges:

• Observation e
ff
ects: minimize impact on the system in production.

• Privacy concerns: never reveal information about speci
fi
c users.

• Bounding the improbable and the adversarial.

• Samples from operational distribution are not iid.

about Programs




about Programs



July 2021



about Programs



July 2021




• with quantifiable accuracy for systems of arbitrary size.

• Better eﬃciency can be obtained by a lower sampling rate.


about Programs



July 2021




• with quantifiable accuracy for systems of arbitrary size.

• Better eﬃciency can be obtained by a lower sampling rate.

• Opportunities:




• Challenges:

• Observation eﬀects: minimize impact on the system in production.

• Privacy concerns: never reveal information about specific users.

• Bounding the improbable and the adversarial.

• Samples from operational distribution are not iid.

Statistical Reasoning About Programs

More Related Content

What's hot

Similar to Statistical Reasoning About Programs

More from mboehme

Recently uploaded

Statistical Reasoning About Programs