Article

Software model checking without source code

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

We present a framework, called AIR, for verifying safety properties of assembly language pro- grams via software model checking. AIR extends the applicability of predicate abstraction and counterexample guided abstraction refinement to the automa ted verification of low-level software. By working at the assembly level, AIR allows verification of programs for which source code is unavailable-such as legacy and COTS software-and programs that use features-such as pointers, structures, and object-orientation-that are problematic for source-level software verification tools. In addition, AIR makes no assumptions about the underlying compiler technology. We have imple- mented a prototype of AIR and present encouraging results on several non-trivial examples.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... [1] char * p1; // input; [2] char p2[] = "bot.execute"; [3] int v; [4] char c1; [5] do { [6] c1 = * p1++; [7] c2 = * p2++; [8] v = (unsigned)c1 -(unsigned)c2; [9] if(v ! = 0) [10] break; [11] } while(c1 ! ...
... some cases, it is possible that a candidate node marked as N t or N f has a branch predicate, the negation of which causes the path constraint [1] if(strcmp(c[0], "aaa")==0) { [2] n = atoi(c[5]); [3] } [4] if(strcmp(c[1], "bbb")==0) { [5] APICall1(...); [6] } [7] if(strcmp(c[2], "ccc")==0) { [8] n = atoi(c[5]); [9] } [10] if(strcmp(c[3], "ddd")==0) { [11] n = atoi(c[5]); [12] } [13] if(strcmp(c[4], "eee")==0) { [14] APICall2(...); [15]} (a) [1] if(strcmp(c[0], "aaa")==0) { [2] n = atoi(c[5]); [3] } [4] [8] n = atoi(c[5]); [9] } [10] else if(strcmp(c[3], "ddd")==0) { [11] n = atoi(c[5]); [12] } [13] to be infeasible, that does not help program exploration. For example, inFig. ...
... some cases, it is possible that a candidate node marked as N t or N f has a branch predicate, the negation of which causes the path constraint [1] if(strcmp(c[0], "aaa")==0) { [2] n = atoi(c[5]); [3] } [4] if(strcmp(c[1], "bbb")==0) { [5] APICall1(...); [6] } [7] if(strcmp(c[2], "ccc")==0) { [8] n = atoi(c[5]); [9] } [10] if(strcmp(c[3], "ddd")==0) { [11] n = atoi(c[5]); [12] } [13] if(strcmp(c[4], "eee")==0) { [14] APICall2(...); [15]} (a) [1] if(strcmp(c[0], "aaa")==0) { [2] n = atoi(c[5]); [3] } [4] [8] n = atoi(c[5]); [9] } [10] else if(strcmp(c[3], "ddd")==0) { [11] n = atoi(c[5]); [12] } [13] to be infeasible, that does not help program exploration. For example, inFig. ...
Article
Full-text available
Botnets are a major threat to the security of computer systems and the Internet. An increasing number of individual Internet sites have been compromised by attacks from all across the world to become part of various kinds of malicious botnets. The Internet security research community has made significant efforts to identify botnets, to collect data on their activities, and to develop techniques for detection, mitigation, and disruption. One way of analyzing the behavior of bots is to run the bot executables and observe their actions. For this to be possible, one needs proper input commands that trigger malicious behaviors. However, it is difficult and time-consuming to manually infer botnet commands from binaries. In this paper, we present a tool called BCE for automatically extracting botnet-command information from bot executables. Our experiments showed that the new search strategies developed for BCE yielded both substantially higher coverage of the parts of the program relevant to identifying bot commands, as well as lowered run-time.
... The source program may be a high-level language, an intermediate code (e.g. Java bytecode, LLVM bitcode [26,20], Common Intermediate Language. . . ) or even, with some added difficulty, binary executable code [8]. ...
... In the "DPLL(T)" approach (see e.g. Kroening and Strichman [25] for an introduction), SMT is implemented as a combination of a SAT solver, 8 which searches within a Boolean state space (here, amounting to b 1 , . . . , b n ∈ {0, 1} n , but in general arithmetic or other theory predicates are also taken into account) and a decision procedure for conjunctions of atomic formulas from a theory T. 9 8 Almost all current SAT solvers implement variants of constraint-driven clause learning (CDCL), a major improvement over DPLL (Davis, Putnam, Logemann, Loveland), thus the terminology. ...
Article
Full-text available
In systems with hard real-time constraints, it is necessary to compute upper bounds on the worst-case execution time (WCET) of programs; the closer the bound to the real WCET, the better. This is especially the case of synchronous reactive control loops with a fixed clock; the WCET of the loop body must not exceed the clock period. We compute the WCET (or at least a close upper bound thereof) as the solution of an optimization modulo theory problem that takes into account the semantics of the program, in contrast to other methods that compute the longest path whether or not it is feasible according to these semantics. Optimization modulo theory extends satisfiability modulo theory (SMT) to maximization problems. Immediate encodings of WCET problems into SMT yield formulas intractable for all current production-grade solvers --- this is inherent to the DPLL(T) approach to SMT implemented in these solvers. By conjoining some appropriate "cuts" to these formulas, we considerably reduce the computation time of the SMT-solver. We experimented our approach on a variety of control programs, using the OTAWA analyzer both as baseline and as underlying microarchitectural analysis for our analysis, and show notable improvement on the WCET bound on a variety of benchmarks and control programs.
... As noticed in [5] this apparently small limitation allows one to perform model checking of a CTL-formula in linear time (w.r.t. the length of the formula and the dimension of the model). Probably, the most famous implementation for general purpose temporal logic model checking is SPIN [6]; among other tools for low-level software verification, we cite [2,8]. ...
Conference Paper
Full-text available
Formal verification of low-level software has become a trend in the formal methods community. Over the past decade, there has been considerable advancement in the theory and practice of automated formal software verification, and one of the most promising paradigms to emerge in this area is software model checking. In this work, we consider a possible application of this methodology to the verification of MIPS Assembly programs. We consider very small programs and very simple safety requirements, such as a register is never used before initialization. We present a newly developed, non optimized, software system to this purpose, whose distinctive feature is being specifically tailored for MIPS programs, and that allows a number of possible generalization in the type and the scope of the properties that can be checked. This work has been undertaken while three out of four authors were first-year undergraduate students at the University of Information Science and Technology in Ohrid (Macedonia).
... While such an approach offers a very precise solution for dealing with inline assembly, if the assembly semantics are fully encoded in C, it does not deal with the problems that arise in executable analysis -e.g., jumps are assumed to only go to predefined labels. Chaki and Ivers [24] basically follow the same approach of translating assembly source code into C, but they use a predicate abstraction based model checker to check specifications on the resulting C program. ...
... AIR ("Assembly Iterative Refinement") [61] is a model checker for PowerPC. AIR decompiles an assembly program to C, and then checks if the resulting C program satisfies the desired property by applying COPPER [60], a predicate-abstraction-based model checker for C source code. ...
... In contrast, MCVETO addresses the challenges of checking properties of stripped executables articulated in §1. AIR ( " Assembly Iterative Refinement " ) [13] is a model checker for PowerPC. AIR decompiles an assembly program to C, and then checks if the resulting C program satisfies the desired property by applying COPPER [12] , a predicateabstraction-based model checker for C source code. ...
Conference Paper
Full-text available
We present the algorithms used in MCVETO (Machine-Code VErification TOol), a tool to check whether a stripped machine- code program satisfies a safety property. The verification problem that MCVETO addresses is challenging because it cannot assume that it has access to (i) certain structures commonly relied on by source-code verifi- cation tools, such as control-flow graphs and call-graphs, and (ii) meta- data, such as information about variables, types, and aliasing. It can- not even rely on out-of-scope local variables and return addresses being protected from the program's actions. What distinguishes MCVETO from other work on software model checking is that it shows how verification of machine-code can be performed, while avoiding conventional techniques that would be unsound if applied at the machine-code level.
Conference Paper
Full-text available
In this paper, we describe our verification tool F-Soft, which is developed for the analysis of C programs. Its novelty lies in the combination of several recent advances in formal verification research including SAT-based verification, static analyses and predicate abstraction. As shown in the tool overview in Figure1, we translate a program into a Boolean model to be analyzed by our verification engine DiVer[4], which includes BDD-based and SAT-based model checking techniques. We include various static analyses, such as computing the control flow graph of the program, program slicing with respect to the property, and performing range analysis as described in Section 2.2. We model the software using a Boolean representation, and use customized heuristics for the SAT-based analysis as described in Section [2.1]. We can also perform a localized predicate abstraction with register sharing as described in Section [2.3], if the user so chooses. The actual analysis of the resulting Boolean model is performed using DiVer. If a counter-example is discovered, we use a testbench generator that automatically generates an executable program for the user to examine the bug in his/her favorite debugger. The F-Soft tool has been applied on numerous case studies and publicly available benchmarks for sequential C programs. We are currently working on extending it to handle concurrent programs.
Chapter
Full-text available
In recent years, there has been a growing need for tools that an analyst can use to understand the workings of COTS components, plug-ins, mobile code, and DLLs, as well as memory snapshots of worms and virus-infected code. Static analysis provides techniques that can help with such problems; however, there are several obstacles that must be overcome: For many kinds of potentially malicious programs, symbol-table and debugging information is entirely absent. Even if it is present, it cannot be relied upon. To understand memory-access operations, it is necessary to determine the set of addresses accessed by each operation. This is difficult because While some memory operations use explicit memory addresses in the instruction (easy), others use indirect addressing via address expressions (difficult). Arithmetic on addresses is pervasive. For instance, even when the value of a local variable is loaded from its slot in an activation record, address arithmetic is performed. There is no notion of type at the hardware level, so address values cannot be distinguished from integer values. Memory accesses do not have to be aligned, so word-sized address values could potentially be cobbled together from misaligned reads and writes. We have developed static-analysis algorithms to recover information about the contents of memory locations and how they are manipulated by an executable. By combining these analyses with facilities provided by the IDAPro and Codesurfer toolkits, we have created CodeSurfer/x86, a prototype tool for browsing, inspecting, and analyzing x86 executables. From an x86 executable, CodeSurfer/x86 recovers intermediate representations that are similar to what would be created by a compiler for a program written in a high-level language. CodeSurfer/x86 also supports a scripting language, as well as several kinds of sophisticated pattern-matching capabilities. These facilities provide a platform for the development of additional tools for analyzing the security properties of executables.
Conference Paper
Full-text available
In this paper, we propose a method for the automatic construction of an abstract state graph of an arbitrary system using the Pvs theorem prover. Given a parallel composition of sequential processes and a partition of the state space induced by predicates 1, ..., g4 l on the program variables which defines an abstract state space, we construct an abstract state graph, starting in the abstract initial state. The possible successors of a state are computed using the Pvs theorem prover by verifying for each index i if i or i is a postcondition of it. This allows an abstract state space exploration for arbitrary programs.
Conference Paper
Full-text available
The zing project is an effort to build a flexible and scalable model checking infrastructure for concurrent software. The project is divided into four components: (1) a modeling language for expressing concurrent models of software systems, (2) a compiler for translating a zing model into an executable representation of its transition relation, (3) a model checker for exploring the state space of the zing model, and (4) model generators that automatically extract zing models from programs written in common programming languages.
Article
Full-text available
The state explosion problem remains a major hurdle in applying symbolic model checking to large hardware designs. State space abstraction, having been essential for verifying designs of industrial complexity, is typically a manual process, requiring considerable creativity and insight.In this article, we present an automatic iterative abstraction-refinement methodology that extends symbolic model checking. In our method, the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques that analyze such counterexamples and refine the abstract model correspondingly. We describe aSMV, a prototype implementation of our methodology in NuSMV. Practical experiments including a large Fujitsu IP core design with about 500 latches and 10000 lines of SMV code confirm the effectiveness of our approach.
Article
Full-text available
The majority of work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers, proof checkers and model checkers. In this paper we will attempt to give convincing arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle big states, and partial order and symmetry reduction, slicing, abstraction, and runtime analysis techniques to reduce the state space. JPF has been applied to a real-time avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, runtime analysis, and slicing with model checking.
Conference Paper
Full-text available
We present a new methodology for automatic verification of C programs against finite state machine specifications. Our approach is compositional, naturally enabling us to decompose the verification of large software systems into subproblems of manageable complexity. The decomposition reflects the modularity in the software design. We use weak simulation as the notion of conformance between the program and its specification. Following the abstract-verify-refine paradigm, our tool MAGIC first extracts a finite model from C source code using predicate abstraction and theorem proving. Subsequently, simulation is checked via a reduction to Boolean satisfiability. MAGIC is able to interface with several publicly available theorem provers and SAT solvers. We report experimental results with procedures from the Linux kernel and the OpenSSL toolkit.
Conference Paper
Full-text available
The majority of the work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers and model checkers. In this paper, we give arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy, we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle large states, and partial order reduction, slicing, abstraction and run-time analysis techniques to reduce the state space. JPF has been applied to a real-time avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, run-time analysis and slicing with model checking
Article
Full-text available
We present a new methodology for automatic verification of C programs against finite state machine specifications. Our approach is compositional, naturally enabling us to decompose the verification of large software systems into subproblems of manageable complexity. The decomposition reflects the modularity in the software design. We use weak simulation as the notion of conformance between the program and its specification. Following the counterexample guided abstraction refinement (CEGAR) paradigm, our tool MAGIC first extracts a finite model from C source code using predicate abstraction and theorem proving. Subsequently, weak simulation is checked via a reduction to Boolean satisfiability. MAGIC has been interfaced with several publicly available theorem provers and SAT solvers. We report experimental results with procedures from the Linux kernel, the OpenSSL toolkit, and several industrial strength benchmarks.
Technical Report
Full-text available
Compiler compilers are in widespread use, but decompiler compilers are a more novel concept. This paper sets out a technique for the decompilation of object code back to source code, and describes a working decompiler generator. Applications include reverse engineering, quality assessment, debugging and safety-critical code validation or verification.
Conference Paper
Full-text available
We present a process for validating temporal safety properties of software that uses a well-dened interface. The process requires only that the user state the property of interest. It then automatically creates abstractions of C code using iterative renement, based on the given property. The process is realized in the SLAM toolkit, which consists of a model checker, predicate abstraction tool and predicate discovery tool. We have applied the SLAM toolkit to a number of Windows NT device drivers to validate critical safety properties such as correct locking behavior. We have found that the process converges on a set of predicates powerful enough to validate properties in just a few iterations. 1. INTRODUCTION Large-scale software has many components built by many programmers. Integration testing of these components is impossible or ineective at best. Property checking of interface usage provides a way to partially validate such software. In this approach, an interface provides a se...
Article
Full-text available
We have formally described a substantial subset of the MC68020, a widely used microprocessor built by Motorola, within the mathematical logic of the automated reasoning system Nqthm, a.k.a. the Boyer-Moore Theorem Prover [6]. Using this formal description, we have mechanically checked the correctness of MC68020 object code programs for binary search, Hoare's Quick Sort, twenty-one functions from the Berkeley Unix C string library, and other well-known algorithms. The object code for these examples was generated using the Gnu C, the Verdix Ada, and the Gnu Common Lisp compilers. We have mechanized a mathematical theory to facilitate automated reasoning about object code programs. We describe a two stage methodology we use to do our proofs.
Article
We present a tool for the formal verification of ANSI-C programs using Bounded Model Checking (BMC). The emphasis is on usability: the tool supports almost all ANSI-C language features, including pointer constructs, dynamic memory allocation, recursion, and the float and double data types. From the perspective of the user, the verification is highly automated: the only input required is the BMC bound. The tool is integrated into a graphical user interface. This is essential for presenting long counterexample traces: the tool allows stepping through the trace in the same way a debugger allows stepping through a program.
Article
This paper describes the use of the SPADE static analysis and verification tools to model, analyse and formally verify the LUCOL assembly code modules used in the fuel control unit of the Rolls-Royce RB211-524G jet engine. This is probably the first tool-supported formal proof of correctness of safety-critical assembly code in the U.K. The work described is further novel in a number of aspects: the construction of a rigorous model of Z8002 assembly code amenable to analysis and formal verification by SPADE, the rapid development in Prolog of a translator from Z8002 assembly code to FDL (SPADE’s modelling language), the formalisation of the written specifications provided into pre- and post-conditions expressed in first-order predicate calculus, and the use of the SPADE Proof Checker to carry out the proofs of correctness.
Article
In this paper, we propose a method for the automatic construction of an abstract state graph of an arbitrary system using the Pvs theorem prover. Given a parallel composition of sequential processes and a partition of the state space induced by predicates phi(l), ..., phi(l) on the program variables which defines an abstract state space, we construct an abstract state graph, starting in the abstract initial state. The possible successors of a state are computed using the PvS theorem prover by verifying for each index i if phi(i) or -phi(i) is a postcondition of it. This allows an abstract state space exploration for arbitrary programs.
Data
Compiler compilers are in widespread use, but decompiler compilers are a more novel concept. This paper sets out a technique for the decompilation of object code back to source code, and describes a working decompiler generator. Applications include reverse engineering, quality assessment, debug-ging and safety-critical code validation or verification.
Conference Paper
Model checking has proven to be an eective technology for verification and debugging in hardware and more recently in software domains. We believe that recent trends in both the requirements for soft- ware systems and the processes by which systems are developed suggest that domain-specific model checking engines may be more eective than general purpose model checking tools. To overcome limitations of existing tools which tend to be monolithic and non-extensible, we have developed an extensible and customizable model checking framework called Bogor. In this tool paper, we summarize (a) Bogor's direct support for model- ing object-oriented designs and implementations, (b) its facilities for ex- tending and customizing its modeling language and algorithms to create domain-specific model checking engines, and (c) pedagogical materials that we have developed to describe the construction of model checking tools built on top of the Bogor infrastructure.
Conference Paper
Concurrency, as a useful feature of many modern programming languages and systems, is generally hard to reason about. Although existing work has explored the verification of concurrent programs using high-level languages and calculi, the verification of concurrent assembly code remains an open problem, largely due to the lack of abstraction at a low-level. Nevertheless, it is sometimes necessary to reason about assembly code or machine executables so as to achieve higher assurance.In this paper, we propose a logic-based "type" system for the static verification of concurrent assembly programs, applying the "invariance proof" technique for verifying general safety properties and the "assume-guarantee" paradigm for decomposition. In particular, we introduce a notion of "local guarantee" for the thread-modular verification in a non-preemptive setting.Our system is fully mechanized. Its soundness has been verified using the Coq proof assistant. A safety proof of a program is semi-automatically constructed with help of Coq, allowing the verification of even undecidable safety properties. We demonstrate the usage of our system using three examples, addressing mutual exclusion, deadlock freedom, and partial correctness respectively.
Conference Paper
This paper sketches the design and implementation of Device-Driver Analyzer for x86 (DDA/x86), a prototype analysis tool for finding bugs in stripped Windows device-driver executables (i.e., when neither source code nor symbol-table/debugging information is available), and presents a case study. DDA/x86 was able to find known bugs (previously discovered by source-code-based analysis tools) along with useful error traces, while having a reasonably low false-positive rate. This work represents the first known application of automatic program verification/analysis to stripped industrial executables, and allows one to check that an executable does not violate known API usage rules (rather than simply trusting that the implementation is correct).
Conference Paper
We formalize a notion of witnesses for satisfaction of linear temporal logic specifications by infinite state programs. We show how such witnesses may be constructed via predicate abstraction, and validated by generating verification conditions and proving them. We propose the use of SAT-based theorem provers and resolution proofs in proving these verification conditions. In addition to yielding extremely compact proofs, a SAT-based approach overcomes several limitations of conventional theorem provers when applied to the verification of programs written in real-life programming languages. We also formalize a notion of witnesses of simulation conformance between infinite state programs and finite state machine specifications. We present algorithms to construct simulation witnesses of minimal size by solving pseudo-Boolean constraints. We present experimental results on several non-trivial benchmarks which suggest that a SAT-based approach can yield extremely compact proofs, in some cases by a factor of over 105, when compared to existing non-SAT-based theorem provers.
Conference Paper
We present the notion of translation validation as a new approach to the verification of translators (compilers, code generators). Rather than proving in advance that the compiler always produces a target code which correctly implements the source code (compiler verification), each individual translation (i.e. a run of the compiler) is followed by a validation phase which verifies that the target code produced on this run correctly implements the submitted source program. Several ingredients are necessary to set up the — fully automatic — translation validation process, among which are:1. A common semantic framework for the representation of the source code and the generated target code. 2. A formalization of the notion of “correct implementation” as a refinement relation. 3. A syntactic simulation-based proof method which allows to automatically verify that one model of the semantic framework, representing the produced target code, correctly implements another model which represents the source. These, and other ingredients are elaborated in this paper, in which we illustrate the new approach in a most challenging case. We consider a translation (compilation) from the synchronous multi-clock data-flow language Signal to asynchronous (sequential) C-code.
Article
"May 1990." "February 1991"--Cover. Thesis (Ph. D.)--University of Cambridge, 1990. Pages 208 and 218 blank. Includes bibliographical references (p. 209-217).
Article
Thesis (Ph. D.)--Yale University, 2004. Microfilm. s
Conference Paper
Boolean satisfiability is probably the most studied of the combinatorial optimization/search problems. Significant effort has been devoted to trying to provide practical solutions to this problem for problem instances encountered in a range of applications in electronic design automation (EDA), as well as in artificial intelligence (AI). This study has culminated in the development of several SAT packages, both proprietary and in the public domain (e.g. GRASP, SATO) which find significant use in both research and industry. Most existing complete solvers are variants of the Davis-Putnam (DP) search algorithm. In this paper we describe the development of a new complete solver, Chaff which achieves significant performance gains through careful engineering of all aspects of the search-especially a particularly efficient implementation of Boolean constraint propagation (BCP) and a novel low overhead decision strategy. Chaff has been able to obtain one to two orders of magnitude performance improvement on difficult SAT benchmarks in comparison with other solvers (DP or otherwise), including GRASP and SATO.
Conference Paper
Numerous researchers have reported success in reasoning about properties of small programs using finite-state verification techniques. We believe, as do most researchers in this area, that in order to scale those initial successes to realistic programs, aggressive abstraction of program data will be necessary. Furthermore, we believe that to make abstraction-based verification usable by non-experts significant tool support will be required. In this paper we describe how several different program analysis and transformation techniques are integrated into the Bandera toolset to provide facilities for abstracting Java programs to produce compact, finite-state models that are amenable to verification for example via model checking. We illustrate the application of Bandera's abstraction facilities to analyze a realistic multi-threaded Java program.
Article
The formal verification of low-level code is a problem largely ignored by the academic community although it is seen as a major problem in industry. The paper examines the problems associated with verification at this level and describes SPADE-8080, a verifiable sublanguage of the Intel 8080. It also shows how programs written in SPADE-8080 can be analyzed and formally verified with the SPADE software tools
Article
One approach to model checking software is based on the abstract-check-refine paradigm: build an abstract model, then check the desired property, and if the check fails, refine the model and start over. We introduce the concept of lazy abstraction to integrate and optimize the three phases of the abstract-check-refine loop. Lazy abstraction continuously builds and refines a single abstract model on demand, driven by the model checker, so that different parts of the model may exhibit different degrees of precision, namely just enough to verify the desired property. We present an algorithm for model checking safety properties using lazy abstraction and describe an implementation of the algorithm applied to C programs. We also provide sufficient conditions for the termination of the method.
Conference Paper
Model checking is often performed by checking a transformed property on a suitable finite-state abstraction of the source program. Examples include abstractions resulting from symmetry reduction, data independence, and predicate abstraction. The two programs are linked by a structural relationship, such as simulation or bisimulation, guaranteeing that if the transformed property holds on the abstract program, the property holds on the original program. Recently, several algorithms have been developed to automatically generate a deductive proof of correctness from a model checker. A natural question, therefore, is how to ‘lift’ a deductive proof that is generated for an abstract program back into the original program domain. In this paper, we show how this can be done for general temporal properties, relative to several types of abstraction relationships between the two programs. We develop simplifications of the lifting scheme for common types of abstractions, such as predicate abstraction. We also show how one may generate easily checkable lifted proofs, which find use in applications such as proof-carrying code, and in the use of model checkers as decision procedures in theorem proving.
Article
This report describes Proof-Carrying Code, a software mechanism that allows a host system to determine with certainty that it is safe to execute a program supplied by an untrusted source. For this to be possible, the untrusted code supplier must provide with the code a safety proof that attests to the code's safety properties. The code consumer can easily and quickly validate the proof without using cryptography and without consulting any external agents. In order to gain preliminary experience with proof-carrying code, we have performed a series of case studies. In one case study, we write safe assembly-language network packet filters. These filters can be executed with no run-time overhead, beyond a one-time cost of 1 to 3 milliseconds for validating the attached proofs. The net result is that our packet filters are formally guaranteed to be safe and are faster than packet filters created using Berkeley Packet Filters, Software Fault Isolation, or safe languages such as Modula-3. In ...
Article
Theorem proving allows the formal verification of the correctness of very large systems. In order to increase the acceptance of theorem proving systems during the design process, we implemented higher order logic proof systems for ANSI-C and Verilog within a framework for application specific proof systems. Furthermore, we implement the language of the PVS theorem prover as well-established higher order specification language. The tool allows the verification of the design languages using a PVS specification and the verification of hardware designs using a C program as specification. We implement powerful decision procedures using Model Checkers and satisfiability checkers. We provide experimental results that compare the performance of our tool with PVS on large industrial scale hardware examples.
Article
Numerous researchers have reported success in reasoning about properties of small programs using finite-state verification techniques. We believe, as do most researchers in this area, that in order to scale those initial successes to realistic programs, aggressive abstraction of program data will be necessary. Furthermore, we believe that to make abstraction-based verification usable by non-experts significant tool support will be required. In this paper, we describe how several different program analysis and transformation techniques are integrated into the Bandera toolset to provide facilities for abstracting Java programs to produce compact, finite-state models that are amenable to verification, for example via model checking. We illustrate the application of Bandera's abstraction facilities to analyze a realistic multi-threaded Java program. 1. Introduction Finite-state verification techniques, such as model checking, are rekindling interest in program verification. Such techniqu...
Article
Boolean Satisfiability is probably the most studied of combinatorial optimization/search problems. Significant effort has been devoted to trying to provide practical solutions to this problem for problem instances encountered in a range of applications in Electronic Design Automation (EDA), as well as in Artificial Intelligence (AI). This study has culminated in the development of several SAT packages, both proprietary and in the public domain (e.g. GRASP, SATO) which find significant use in both research and industry. Most existing complete solvers are variants of the Davis-Putnam (DP) search algorithm. In this paper we describe the development of a new complete solver, Chaff, which achieves significant performance gains through careful engineering of all aspects of the search -- especially a particularly efficient implementation of Boolean constraint propagation (BCP) and a novel low overhead decision strategy. Chaff has been able to obtain one to two orders of magnitude performance improvement on difficult SAT benchmarks in comparison with other solvers (DP or otherwise), including GRASP and SATO.
Conference Paper
Model Checking is an algorithmic technique to determine whether a temporal property holds of a program. For linear time properties, a model checker produces a counterexample computation if the check fails. This computation acts as a "certificate" of failure, as it can be checked easily and independently of the model checker by simulating it on the program. On the other hand, no such certificate is produced if the check succeeds. In this paper, we show how this asymmetry can be eliminated with a certifying model checker. The key idea is that, with some extra bookkeeping, a model checker can produce a deductive proof on either success or failure. This proof acts as a certificate of the result, as it can be checked mechanically by simple, non-fixpoint methods that are independent of the model checker. We develop a deductive proof system for verifying branching time properties expressed in the mu-calculus, and show how to generate a proof in this system from a model checking run. Proofs for linear time properties form a special case. A model checker that generates proofs can be used for many interesting applications, such as better ways of exploring errors in a program, and a tight integration of model checking with automated theorem proving. 1
A next-generation platform for analyzing executables Lecture notes in computer science, vol 3780
  • T Reps
  • G Balakrishnan
  • J Lim
  • Teitelbaum
Construction of abstract state graphs with PVS Lecture notes in computer science, vol 1254
  • S Graf
  • Saïdi
Certifying Model Checkers Lecture notes in computer science, vol 2102
  • Namjoshi
  • G Berry
  • H Comon
  • Finkel
Analyzing stripped device-driver executables Lecture notes in computer science, vol 4963
  • G Balakrishnan
  • Reps
Lifting temporal proofs through abstractions Lecture notes in computer science, vol 2575
  • Namjoshi
  • Ld Zuck
  • Pc Attie
  • A Cortesi
  • Mukhopadhyay
Lazy abstraction URL http://citeseer
  • Ta Henzinger
  • R Jhala
  • R Majumdar
  • Sutre
Generating Decompilers The University of Reading 7
  • Breuer Pt
  • Bowen
Breuer PT, Bowen JP (1998) Generating Decompilers. RUCS Technical Report RUCS/1998/TR/010/A, Department of Comput-ing, The University of Reading 7. CBMC website (2009) http://www.cprover.org/cbmc
A next-gener-ation platform for analyzing executables Proceedings of the third asian symposium on programming languages and sys-tems (APLAS '05) Lecture notes in computer science
  • Reps T G Balakrishnan
  • J Lim
  • Teitelbaum
Reps T, Balakrishnan G, Lim J, Teitelbaum T (2005) A next-gener-ation platform for analyzing executables. In: Yi K (ed) Proceedings of the third asian symposium on programming languages and sys-tems (APLAS '05). Lecture notes in computer science, vol 3780. Springer, Berlin, pp 212–229
Proof-carrying code In: Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on principles of program-ming langauges (POPL '97) Association for Computing Machin-ery
  • Necula
  • Gc
Necula GC (1997) Proof-carrying code. In: Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on principles of program-ming langauges (POPL '97). Association for Computing Machin-ery, pp 106–119