The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.01 - January (2008 vol.34)
pp: 21-32
ABSTRACT
We present an algorithm by which mutually-distrusting parties can work together to learn program specifications while preserving their privacy. These specifications describe security policies and correct API usage rules. By sharing data, parties are able to discover more specifications, and thus find more software bugs, than if they never share data. However, because sharing data breaches privacy, we present a way for parties to perturb and publish data and yet still discover more specifications and bugs than if they had never shared data. In aggregate these perturbed traces can be analyzed to learn correct specifications of program behavior. The perturbed traces cannot, however, be analyzed to determine that one party contributed buggier traces than another party. The learned specifications are of benefit to all parties. Despite the noise introduced to safeguard privacy, our algorithm typically learns specifications that find 85% of the bugs that a no-privacy approach would find. A lack of traces is a critical obstacle to practical specification mining; we present an approach for privately sharing traces to gain a large public and private benefit.
INDEX TERMS
F.3.1.f Specification techniques, D.2.19 Software Quality/SQA, I.2.6 Learning, K.4.1.f Privacy
CITATION
Westley Weimer, "Privately Finding Specifications", IEEE Transactions on Software Engineering, vol.34, no. 1, pp. 21-32, January 2008, doi:10.1109/TSE.2007.70744
REFERENCES
[1] T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S. Rajamani, and A. Ustuner, “Thorough Static Analysis of Device Drivers,” Proc. First European Systems Conf., pp. 103-122, Apr. 2006.
[2] H. Chen, D. Dean, and D. Wagner, “Model Checking One Million Lines of C Code,” Proc. 11th Ann. Network and Distributed System Security Symp., 2004.
[3] C. Conway, D. Dams, K. Namjoshi, and S. Edwards, “Incremental Algorithms for Interprocedural Analysis of Safety Properties,” Computer Aided Verification, vol. 3576, pp. 449-461, 2005.
[4] J. Corbett, M. Dwyer, J. Hatcliff, S. Laubach, C. Pasareanu, F. Robby, and H. Zheng, “Bandera: Extracting Finite-State Models from Java Source Code,” Proc. 22nd Int'l Conf. Software Eng., pp.762-765, 2000.
[5] M. Das, S. Lerner, and M. Seigle, “ESP: Path-Sensitive Program Verification in Polynomial Time,” SIGPLAN Notices, vol. 37, no. 5, pp. 57-68, 2002.
[6] D. Engler, D. Chen, and A. Chou, “Bugs as Inconsistent Behavior: A General Approach to Inferring Errors in Systems Code,” Proc. 18th ACM Symp. Operating System Principles, pp. 57-72, 2001.
[7] C. Flanagan, K. Rustan, M. Leino, M. Lillibridge, G. Nelson, J. Saxe, and R. Stata, “Extended Static Checking for Java,” Programming Language Design and Implementation, pp. 234-245, 2002.
[8] T. Henzinger, R. Jhala, R. Majumdar, and G. Sutre, “Lazy Abstraction,” Principles of Programming Languages, pp. 58-70, 2002.
[9] D. Hovemeyer and W. Pugh, “Finding Bugs Is Easy,” OOPSLA Companion, pp. 132-136, 2004.
[10] W. Weimer and G. Necula, “Finding and Preventing Run-Time Error Handling Mistakes,” Object-Oriented Programming Systems, Languages, and Applications, pp. 419-431, 2004.
[11] B. Liblit, A. Aiken, A. Zheng, and M. Jordan, “Bug Isolation via Remote Program Sampling,” Programming Language Design and Implementation, pp. 141-154, 2003.
[12] J. Whaley, M. Martin, and M. Lam, “Automatic Extraction of Object-Oriented Component Interfaces,” Proc. Int'l Symp. Software Testing and Analysis, pp. 218-228, 2002.
[13] J. Nimmer and M. Ernst, “Automatic Generation of Program Specifications,” Proc. Int'l Symp. Software Testing and Analysis, pp.232-242, 2002.
[14] M. Taghdiri, “Inferring Specifications to Detect Errors in Code,” Automated Software Eng., pp. 144-153, 2004.
[15] T. Andrews, S. Qadeer, S. Rajamani, J. Rehof, and Y. Xie, “Zing: Exploiting Program Structure for Model Checking Concurrent Software,” Concurrency Theory, pp. 1-15, 2004.
[16] J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum, “Understanding Data Lifetime via Whole System Simulation,” Proc. 13th Usenix Security Symp., pp. 321-336, 2004.
[17] U. Shankar, K. Talwar, J.S. Foster, and D. Wagner, “Detecting Format String Vulnerabilities with Type Qualifiers,” Proc. 10th Usenix Security Symp., pp. 201-220, Aug. 2001.
[18] M. Ringenburg and D. Grossman, “Preventing Format-String Attacks via Automatic and Efficient Dynamic Checking,” Proc. 12th ACM Conf. Computer and Comm. Security, pp. 354-363, 2005.
[19] R. Johnson and D. Wagner, “Finding User/Kernel Pointer Bugs with Type Inference,” Proc. 13th Usenix Security Symp., pp. 119-134, 2004.
[20] V. Livshits and M. Lam, “Finding Security Errors in Java Programs with Static Analysis,” Proc. 14th Usenix Security Symp., pp. 271-286, Aug. 2005.
[21] C. Flanagan, K. Rustan, and C. Leino, “Houdini: An Annotation Assistant for ESC/Java,” Formal Methods for Increasing Software Productivity, pp. 500-517, 2001.
[22] R. Alur, P. Cerny, P. Madhusudan, and W. Nam, “Synthesis of Interface Specifications for Java Classes,” Proc. 32nd Ann. ACM Symp. Principles of Programming Languages, pp. 98-109, 2005.
[23] G. Ammons, R. Bodik, and J. Larus, “Mining Specifications,” Proc. 32nd Ann. ACM Symp. Principles of Programming Languages, pp. 4-16, 2002.
[24] W. Weimer and G. Necula, “Mining Temporal Specifications for Error Detection,” Tools and Algorithms for the Construction and Analysis of Systems, vol. 3440, pp. 461-476, 2005.
[25] J. Yang, D. Evans, D. Bhardwaj, T. Bhat, and M. Das, “Perracotta: Mining Temporal API Rules from Imperfect Traces,” Proc. 28th Int'l Conf. Software Eng., pp. 282-291, 2006.
[26] E.M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith, “Counterexample-Guided Abstraction Refinement,” Computer-Aided Verification, vol. 1855, pp. 154-169, 2000.
[27] A. Raman and J. Patrick, “The Sk-Strings Method for Inferring PFSA,” Proc. 14th Int'l Conf. Machine Learning Workshop Automata Induction, Grammatical Inference, and Language Acquisition, 1997.
[28] O. Kupferman and R. Lampert, “On the Construction of Finite Automata for Safety Properties,” Automated Technology for Verification and Analysis, vol. 4218, pp. 110-124, 2006.
[29] G. Ammons, D. Mandein, R. Bodik, and J. Larus, “Debugging Temporal Specifications with Concept Analysis,” Programming Language Design and Implementation, pp. 182-195, 2003.
[30] A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler, “An Empirical Study of Operating Systems Errors,” Proc. 18th ACM Symp. Operating Systems Principles, pp. 73-88, 2001.
[31] C. Artho, A. Biere, and S. Honiden, “Enforcer: Efficient Failure Injection,” Proc. 14th Int'l Symp. Formal Methods, vol. 4085, pp. 412-427, 2006.
[32] O. Goldreich, S. Micali, and A. Wigderson, “How to Play Any Mental Game or a Completeness Theorem for Protocols with Honest Majority,” Proc. 19th ACM Symp. Theory of Computing, pp.218-229, 1987.
[33] A.C. Yao, “How to Generate and Exchange Secrets,” Proc. 27th Ann. Symp. Foundations of Computer Science, pp. 162-167, 1986.
[34] G. Aggarwal, M. Bawa, P. Ganesan, H. Garcia-Molina, K. Kenthapadi, N. Mishra, R. Motwani, U. Srivastava, D. Thomas, J. Widom, and Y. Xu, “Enabling Privacy for the Paranoids,” Proc. 30th Int'l Conf. Very Large Databases, vision paper, 2004.
[35] S. Warner, “Randomized Response: A Survey Technique for Eliminating Error Answer Bias,” J. Am. Statistical Assoc., 1965.
[36] N. Mishra and M. Sandler, “Privacy via Pseudorandom Sketches,” Proc. 25th ACM Symp. Principles of Database Systems, pp. 143-152, 2006.
[37] E. Perry, M. Sanko, B. Wright, and T. Pfaeffle, “Oracle9i JDBC Developer's Guide and Reference,” Technical Report A96654-01, http:/www.oracle.com, Mar. 2002.
[38] IEEE, “The Open Group Base Specification Issue 6, IEEE Std. 1003.1,” technical report, 2004.
[39] H. Chen, D. Wagner, and D. Dean, “Setuid Demystified,” Proc. 11th Usenix Security Symp., pp. 171-190, 2002.
[40] A. Shamir, “How to Share a Secret,” Comm. ACM, vol. 22, pp. 612-613, Nov. 1979.
19 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool