Probabilistic Program Analysis

Transcription

1 Probabilistic Program Analysis Data Flow Analysis and Regression Alessandra Di Pierro University of Verona, Italy Herbert Wiklicky Imperial College London, UK Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide of 45 Classical Dataflow Analysis The problem could be to identify at any program point the variables which are live, i.e. which may later be used in an assignment or test. There are two phases of a classical LV analysis: (i) formulation of data-flow equations as set equations (or more generally over a property lattice L), (ii) finding or constructing solutions to these equations, for example, via a fixed-point construction. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide of 45

2 Example Consider a program like: [x := ] ; [y := ] ; [x := x + y mod 4] 3 ; if [x > ] 4 then [z := x] 5 else [z := y] 6 fi Extract statically the control flow relation i.e. is it possible to go from lable l to label l? flow = {(, ), (, 3), (3, 4), (4, 5), (4, 6)} Nielson, Nielson, Hankin: Principles of Program Analysis. Springer, 99/05. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 3 of 45 (Local) Transfer Functions gen LV ([x := a] l ) = FV(a) gen LV ([skip] l ) = gen LV ([b] l ) = FV(b) kill LV ([x := a] l ) = {x} kill LV ([skip] l ) = kill LV ([b] l ) = f LV l : P(Var ) P(Var ) f LV l (X) = X \ kill LV ([B] l ) gen LV ([B] l ) Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 4 of 45

3 (Global) Control Flow Formulate equations based on the control flow (relations): LV entry (l) = f LV l LV exit (l) = (LV exit (l)) LV entry (l ) (l,l ) flow Monotone Framework: Generalise this setting to lattice equations by using a general property lattice L instead of P(X). This also gives ways to effectively construct solutions via various lattice theoretic concepts (fixed points, worklist, etc.) Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 5 of 45 Example [x := ] ; [y := ] ; [x := x + y mod 4] 3 ; if [x > ] 4 then [z := x] 5 else [z := y] 6 fi Control Flow: Auxiliary Functions: flow = {(, ), (, 3), (3, 4), (4, 5), (4, 6)} Equations (over L = P(Var)) gen LV (l) kill LV (l) {x} {y} 3 {x, y} {x} 4 {x} 5 {x} {z} 6 {y} {z} Bolzano, -6 August 06 LV entry () ESSLLI 6 = LV exit () Probabilistic \ {x} Program Analysis Slide 6 of 45

4 A Probabilistic Language (Variation) We consider a simple language with a random assignment ρ = { r, p,... r n, p n } (rather than a probabilistic choice). S ::= skip x := e(x,..., x n ) x?= ρ S ; S if b then S else S fi while b do S od S ::= [skip] l [x := e(x,..., x n )] l [x?= ρ] l S ; S if [b] l then S else S fi while [b] l do S od Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 7 of 45 Probabilistic Semantics SOS: R0 stop, s stop, s R skip, s stop, s R R3 v := e, s stop, s[v E(e)s] v?= ρ, s ρ(r) stop, s[v r] LOS: T( l, p, l ) = U(x a) E(l, l ) for [x := a] l T( l, p, l ) = ( i ρ(r i) U(x r i )) E(l, l ) for [x?= ρ] l... Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 8 of 45

5 (Local) Transfer Functions (extended) gen LV ([x := a] l ) = FV(a) gen LV ([x?= ρ] l ) = gen LV ([skip] l ) = gen LV ([b] l ) = FV(b) kill LV ([x := a] l ) = {x} kill LV ([x?= ρ] l ) = {x} kill LV ([skip] l ) = kill LV ([b] l ) = f LV l : P(Var ) P(Var ) f LV l (X) = X \ kill LV ([B] l ) gen LV ([B] l ) Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 9 of 45 Probabilistic Analysis In the classical analysis the undecidability of predicates in tests leads us to consider a conservative approach: Everything is possible, i.e. tests are treated as non-deterministic choices in the control flow. In a probabilistic analysis we aim instead in providing good (optimal) estimates for branch(ing) probabilities when we construct the probabilistic control flow. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 0 of 45

6 Example Consider, for example, instead of [x := ] ; [y := ] ; [x := x + y mod 4] 3 ; if [x > ] 4 then [z := x] 5 else [z := y] 6 fi a probabilistic program like: [x?= {0, }] ; [y?= {0,,, 3}] ; [x := x + y mod 4] 3 ; if [x > ] 4 then [z := x] 5 else [z := y] 6 fi Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide of 45 Probabilistic Control Flow and Equations We can also use the classical control flow relation (as long as we do not consider a randomised choose statement). However, we can t use the same equations, because: (i) We want to express probabilities of properties not just (safe approximations) of properties. (ii) We also need to consider relational aspects, i.e. correlations e.g. between the sign of variables. (iii) We would like/need to estimate the branching probabilities when tests are evaluated. (iv) We often also need probabilistic versions of the transfer functions. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide of 45

7 Local Transfer When we look at the local transfer functions f l then we now need some probabilistic version of these. For example: given probability distributions describing the values of x and y, what is the probability distribution describing possible values of x + y mod 4. Possible ways to obtain probabilistic and abstract versions f # l Construction of a corresponding operator. Abstraction of the concrete semantics. Testing and Profiling also give us estimates. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 3 of 45 Probabilistic Abstract Interpretation For an abstraction A : V(State) V(L) we get for a concrete transfer operator F an abstract, (least-square) optimal estimate via F # = A FA in analogy to Abstract Interpretation. Definition Let C and D be two Hilbert spaces and A : C D a bounded linear map. A bounded linear map A = G : D C is the Moore-Penrose pseudo-inverse of A iff (i) A G = P A, (ii) G A = P G, where P A and P G denote orthogonal projections onto the ranges of A and G. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 4 of 45

8 Branch Probabilities Definition Given a program S l with init(s l ) = l and a probability distribution ρ on State, the probability p l,l (ρ) that the control is flowing from l to l is defined as: p l,l (ρ) = s { p ρ(s) s s.t. S l, s p Sl, s }. The branch probabilities thus also depend on an initial distribution, even for deterministic programs. One can implement the test b as projections P(b) which filter out states which do not pass the test. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 5 of 45 Tests and Branch Probabilities (Concrete) Consider the simple program with x {0,, } if [x >= ] then [x := x ] else [skip] 3 fi Then the test b = (x >= ) is represented by the projection: P(x >= ) = 0 0 and P(x >= ) = For ρ = { 0, p 0,, p,, p } = (p 0, p, p ) we can compute the branch(ing) probabilities as ρp(x >= ) = (0, p, p ) and p, (ρ) = ρ P(x >= ) = p + p, for the else branch, with P = I P: p,3 (ρ) = ρ P (x >= ) = p 0. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 6 of 45

9 Abstract Branch Probabilities If we consider abstract states ρ # V(L) we need abstract versions P(b) # of P(b) to compute the branch probabilities. In doing so we must guarantee that for ρ # = ρa: ρp(b)a! = ρ # P # (b) ρp(b)a! = ρap # (b) P(b)A! = AP # (b) Ideally, to get P # if we multiply the last equation from the left with A. However, A is in general not not invertible. The optimal (least-square) estimate can be obtained via A P(b)A = A AP # (b) A P(b)A = P # (b) We get estimates for the abstract branch probabilities. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 7 of 45 An Example: Prime Numbers are Odd Consider the following program that counts the prime numbers. [i := ] ; while [i < 00] do if [prime(i)] 3 then [p := p + ] 4 else [skip] 5 fi; [i := i + ] 6 od Essential is the abstract branch probability for [.] 3 : P(prime(i)) # = A ep(prime(i))a e, Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 8 of 45

10 An Example: Abstraction Test operators: P e = (P(even(n))) ii = { if i = k 0 otherwise P p = (P(prime(n))) ii = Abstraction Operators: (A e ) ij = (A p ) ij = { if prime(i) 0 otherwise if i = k + j = if i = k j = 0 otherwise if prime(i) j = if prime(i) j = 0 otherwise Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 9 of 45 An Example: Abstract Branch Probability For ranges [0,..., n] we get: n = 0 n = 00 n = 000 n = 0000 A e P pa e A e P p A e A p P ea p A p P e A p ( ) ( ) ( ) ( ( ) ( ) ( ) ( ( ) ( ) ( ) ( ( ) ( ) ( ) ( ) ) ) ) The entries in the upper left corner of A ep p A e give us the chances that an even number is also a prime number, etc. Note that the positive and negative matrices always add up to I. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 0 of 45

11 Probabilistic Dataflow Equations Similar to classical DFA we formulate linear equations: Analysis (l) = Analysis (l) F # l { ι, if l E Analysis (l) = {Analysis (l ) P(l, l) # (l, l) F}, else A simpler version can be obtained by static branch prediction: Analysis (l) = {p l,l Analysis (l ) (l, l) F} Abstract branch probabilities, i.e. estimates for the test operators P(l, l) #, can be estimated also via a different analysis Prob, in a first phase before the actual Analysis. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide of 45 Live Variable Analysis: Example Coming back to our previous example and its LV analysis: [x?= {0, }] ; [y?= {0,,, 3}] ; [x := x + y mod 4] 3 ; if [x > ] 4 then [z := x] 5 else [z := y] 6 fi Consider two properties d for dead, and l for live and the space V({0, }) = V({d, l}) = R as the property space. L = ( 0 0 ) and K = ( 0 0 ). We define the abstract transfers for our four blocks a F l = F LV l : V({0, }) Var V({0, }) Var Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide of 45

12 Transfer Functions for Live Variables For [x := a] l (with I the identity matrix) F l = L if x i FV(a) X i with X i = K if x i = x x i FV(a) x i Var I otherwise. and for tests [b] l F l = X i with X i = x i Var { L if xi FV(b) I otherwise. For [skip] l and [x?= ρ] l have F l = x i Var I. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 3 of 45 Preprocessing We present a LV analysis based essentially on concrete branch probabilities. That means that in the first phase of the analysis we will not abstract the values of x and y, we just ignore z all together. If the concrete state of each variable is a value in {0,,, 3}, then the probabilistic state is in V({0,,, 3}) 3 = R 43 = R 64. The abstraction we use when we compute the concrete branch probabilities is A = I I A f, with A f = (,,, ) t the forgetful abstraction, i.e. z is ignored. This allows us to reduce the dimensions of the probabilistic state space from 64 to just 6. Note that also F # 5 = F# 6 = I. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 4 of 45

13 (Abstract) Transfer Operators F # = F # = Bolzano, -6 August ESSLLI 6 Probabilistic Program Analysis Slide 5 of Probability Equations Prob 0 entry 0 () 0 0= 0 ρ Prob 0 0 entry () = Prob exit 4 () Prob 0 entry 0 (3) 0 0= 0 Prob 0 exit 0 () Prob 0 0 entry (4) = Prob exit (3) The pre-processing probability analysis via equations: Prob entry (5) = Prob exit (4) P # Prob 0 0 entry 0 (6) 0 = 0 Prob 0 exit 0 (4) 0 0(I 0 P 0 # 4 ) Prob exit () = Prob 0 entry () F # F # 3 = Prob exit () = Prob entry () F # Prob 0 0 exit 0(3) 0 = 0 Prob 0 0 entry 0 () 0 0F # Prob exit (4) = Prob entry (4) Prob exit (5) = Prob entry (5) Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 6 of

14 Data Flow Equations With this information we can formulate the actual LV equations: LV entry () = LV exit () (K I I) LV entry () = LV exit () (I K I) LV entry (3) = LV exit (3) (L L I) LV entry (4) = LV exit (4) (L I I) LV entry (5) = LV exit (5) (L I K) LV entry (6) = LV exit (6) (I L K) LV exit () = LV entry () LV exit () = LV entry (3) LV exit (3) = LV entry (4) LV exit (4) = p 4,5 LV entry (5) + p 4,6 LV entry (6) LV exit (5) = (, 0) (, 0) (, 0) Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 7 of 45 Example: Solution LV exit (6) = (, 0) (, 0) (, 0) The solution to the LV equations is then given by: LV entry () = (, 0) (, 0) (, 0) LV entry () = (0, ) (, 0) (, 0) LV entry (3) = 0.5 (0, ) (0, ) (, 0) (0, ) (0, ) (, 0) = (0, ) (0, ) (, 0) LV entry (4) = 0.5 (0, ) (, 0) (, 0) (0, ) (0, ) (, 0) LV entry (5) = (0, ) (, 0) (, 0) LV entry (6) = (, 0) (0, ) (, 0) LV exit () = (0, ) (, 0) (, 0) LV exit () = (0, ) (0, ) (, 0) Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 8 of 45 LV exit (3) = 0.5 (0, ) (, 0) (, 0) +

15 The Moore-Penrose Pseudo-Inverse Definition Let C and D be two finite-dimensional vector spaces and A : C D a linear map. Then the linear map A = G : D C is the Moore-Penrose pseudo-inverse of A iff A G = P A and G A = P G, where P A and P G denote orthogonal projections onto the ranges of A and G. Definition Let A R m n and b R m. Then u R n is called a least squares solution to Ax = b if Theorem Au b Av b, for all v R n. Let A R m n and b R m. Then A b is the minimal least squares solution to Ax = b. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 9 of 45 Probabilistic Abstract Interpretation Probabilistic Abstract Interpretation is based on: Concrete and abstract domains are linear spaces C, D... Concrete and abstract semantics are linear operators T... The Moore-Penrose pseudo-inverse allows us to construct the closest (i.e. least square) approximation T # : D D of a concrete semantics T : C C which we define via the Moore-Penrose pseudo-inverse: T # = G T A = A T A = A T G. This gives a smaller DTMC via the abstracted generator T #. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 30 of 45

16 Probabilistic Program Analysis vs Statistics Probabilistic Program Analysis Probabilities are given (as values or parameters): Calculate properties according to these input data using the program semantics, i.e. deduce probabilities of properties from semantics. Statistical Analysis Probabilities and initial states are not known: Estimate these parameters using observations of the program behaviour, i.e. infer execution probabilities by observing some sample runs. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 3 of 45 Using Statistics Infer execution probabilities by observing some sample runs. Identify a random vector y with some measurement results Identify a model by a vector of parameters β Construct a matrix X mapping models to the runs Use X and y to find a best estimator of the model. Theorem (Gauss-Markov) Consider the linear model y = βx + ε with X of full column rank and ε (fulfilling some conditions) Then the Best Linear Unbiased Estimator (BLUE) is given by ˆβ = yx. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 3 of 45

17 Modular Exponentiation s := ; i := 0; while i<=w do if k[i]== then x := (s*x) mod n; else r := s; fi; s := r*r; i := i+; od; P.C. Kocher: Cryptanalysis of Diffie-Hellman, RSA, DSS, and other cryptosystems using timing attacks, CRYPTO 95. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 33 of 45 Paths and Fronts Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 34 of 45

18 Observing Traces: The DTMC Consider the following simple DTMC with parameters p and q in the real interval [0, ]: p p 0 q q T pq = ( p p q q ) This behaviour is essentially the one of the following program: while (true) do if (x == ) then x?= { 0, p,, p } else x?= { 0, q,, q } fi od Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 35 of 45 Observing Traces: Possible Parameters Instantiating the parameters: 0 T 0, = ( 0 0 ) 0 ( T, = 0 ) Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 36 of 45

19 Observing Traces: Possible Parameters Instantiating the parameters: 0 T 0, 0 T, ( 0 = = ( ) ) Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 37 of 45 Identifying the Concrete Model PAI can be used to this purpose as follows: Abstract domain: D = V(M), with M = { s, p, q s {0, }, p, q [0, ]} Concrete domain: C = V(T ) with T = {0, } + (execution traces) Design matrix: G : D C associates to each instance model the corresponding distribution on traces Compute the Moore-Penrose pseudo-inverse G of G to calculate the best estimators of the parameters p and q. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 38 of 45

20 Numerical Experiments In order to be able to compute an analysis of the system we considered p, q {0,, }, i.e. 9 possible semantics, with possible initial states either 0 or. D = V({0, }) V({0,, }) V({0,, }) = R R 3 R 3 = R 8 Observe traces of a certain length, e.g. traces of length t = 3: C 3 = V({0, } 3 ) = V({0, }) 3 = (R ) 8 = R 8 Actually, we simulated 0000 executions (with errors) of the system and observed traces of length t = 0. C 0 = V({0, } 0 ) = V({0, }) 0 = (R ) 0 = R 04 Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 39 of 45 Numerical Experiments: Parameter Space D = R 9 s p q s p q Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 40 of 45

21 Experiments: Trace Space C 3 = R 8 and C 0 = R 04 trace C trace C Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 4 of 45 Experiments: Concretisation G 3 G 3 = Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 4 of 45

22 Experiments: Regression G 3 (Abstraction) G t 3 = Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 43 of 45 Numerical Experiments for C 0 For the model p = 0, q = we obtained (for different noise distortions ε) by observation of the possible traces in 0000 test runs their (experimental) probability distributions y, y etc. in R 04 (where y i is the observed frequency of trace i) and from these estimate the (unknown) parameters via: yg 0 = (0, 0, 0, 0, 0, 0, 0.50, 0.49, 0, 0.0, 0, 0, 0, 0, 0, 0, 0, 0) y G 0 = (0, 0, 0, 0, 0, 0, 0.49, 0.50, 0.0, 0, 0, 0, 0, 0, 0, 0, 0, 0) y G 0 = (0, 0, 0, 0, 0, 0, 0.43, 0.43, 0.07, 0.06, 0, 0, 0, 0, 0, 0, 0, 0) y G 0 = (0, 0, 0.0, 0, 0, 0, 0.33, 0.35, 0.6, 0.6, 0, 0, 0, 0, 0, 0, 0, 0) The distribution y denotes the undistorted case, y the case with ε = 0.0, y the case ε = 0., and y the case ε = 0.5. The initial state was always chosen with probability state 0 or the state. as the Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 44 of 45

23 Some References Di Pierro, Wiklicky: Probabilistic data flow analysis: A linear equational approach. Proceedings of GandALF 3, EPTCS, Volume 9, 03. Di Pierro, Hankin, Wiklicky: Probabilistic semantics and analysis. in Formal Methods for Quantitative Aspects of Programming Languages, LNCS 655, Springer, 00. Di Pierro, Wiklicky: Probabilistic Abstract Intepretation: From Trace Semantics to DTMC s via Linear Regression. LNCS 9560, Springer, 06. Nielson, Nielson, Hankin: Principles of Program Analysis. Springer, 999/005. Bolzano, -6 August 06 ESSLLI 6 Probabilistic Program Analysis Slide 45 of 45