Automated Theorem Proving and Proof Checking. Proof Checking. Motivation. Cunning Plan. Standard Architecture. History

Transcription

1 Automated Theorem Proving and Proo Checking Engler: Automatically Generating Malicious Disks using Symex IEEE Security and Privacy 2006 Use CIL and Symbolic Execution on Linux FS code Special model o memory, makes theorem prover calls, aims to hit all paths, has trouble with loops New: transorm program so that it combines concrete and symbolic execution (c. RTCG) New: uses contraint solver to automatically generate test case (= FS image) Found 5 bugs (4 panic, 1 root) Special thanks to Wei Hu or noticing this #1 #2 Cunning Plan There are ull-semester courses on automated deduction; we will elide details. Logic Syntax Theories Satisiability Procedures Mixed Theories Theorem Proving Proo Checking SAT-based Theorem Provers (c. Engler paper) #3 Motivation Can be viewed as decidable AI Would be nice to have a procedure to automatically reason rom premises to conclusions Used to rule out the exploration o ineasible paths (model checking, datalow) Used to reason about the heap (McCarthy, symbolic execution) Used to automatically synthesize programs rom speciications (e.g. Leroy, Engler optional papers) Used to discover proos o conjectures (e.g., Tarski conjecture proved by machine in 1996, eicient geometry theorem provers) Generally under-utilized #4 History Standard Architecture Automated deduction is logical deduction perormed by a machine Involves logic and mathematics One o the oldest and technically deepest ields o computer science Some results are as much as 75 years old Checking a Large Routine, Turing 1949 Automation eorts are about 40 years old Floyd-Hoare axiomatic semantics Still experimental (even ater 40 years) Program Speciication Veriication Condition Generation Validity Theorem In A Logic Semantics Provability Meets Spec Or Found A Bug Automated Theorem Proving #5 #6 1

2 Logic Grammar We ll use the ollowing logic: Goals: G ::= L true G 1 G 2 H G x. G Hypotheses: H ::= L true H 1 H 2 Literals: L ::= p(e 1,, E k ) Expressions: E ::= n (E 1,, E m ) This is a subset o irst-order logic Intentionally restricted: no so ar Predicate unctions p: <, =, Expression unctions : +, *, sel, upd, #7 Theorem Proving Problem Write an algorithm prove such that: I prove(g) = true then G Soundnes (must have) I G then prove(g) = true Completeness (nice to have, optional) prove(h,g) means prove H G Architecture: Separation o Concerns #1. Handle,,, = #2. Handle, *, sel, upd, = #8 Theorem Proving Want to prove true things Avoid proving alse things We ll do proo-checking later to rule out the cat proo shown here For now, let s just get to the point where we can prove something Basic Symbolic Theorem Prover Let s deine prove(h,g) prove(h, true) = true prove(h, G 1 G 2 ) = prove(h,g 1 )&& prove(h, G 2 ) prove(h 1, H 2 G) = prove(h 1 H 2, G) prove(h, x. G) = prove(h, G[a/x]) prove(h, L) =??? (a is resh ) #9 #10 Theorem Prover or Literals Theory Terminology We have reduced the problem to prove(h,l) But H is a conjunction o literals L 1 L k Thus we really have to prove that L 1 L k L Equivalently, that L 1 L k L is unsatisiable For any assignment o values to variables the truth value o the conjunction is alse Now we can say prove(h,l) = Unsat(H L) #11 A theory consists o a set o unctions and predicate symbols (syntax) and deinitions or the meanings o those symbols (semantics) Examples: 0, 1, -1, 2, -3,, +, -, =, < (usual meanings; theory o integers with arithmetic or Presburger arithmetic ) =, (axioms o transitivity, anti-symmetry, and x. y. x y y x ; theory o total orders ) sel, upd (McCarthy s theory o lists ) #12 2

3 Decision Procedures or Theories The Decision Problem Decide whether a ormula in a theory with irstorder logic is true Example: Decide x. x>0 ( y. x=y+1) in {N, +, =, >} A theory is decidable when there is an algorithm that solves the decision problem This algorithm is the decision procedure or that theory Satisiability Procedures The Satisiability Problem Decide whether a conjunction o literals in the theory is satisiable Factors out the irst-order logic part The decision problem can be reduced to the satisiability problem Parameters or, skolem unctions or, negate and convert to DNF (sorry; I won t explain this here) Easiest Theory = Propositional Logic = SAT A decision procedure or it is a SAT solver #13 #14 Theory o Equality Theory o equality with uninterpreted unctions Symbols: =,,, g, Axiomatically deined (A,B,C Expressions): A=A B=A A=B A=B A=C B=C A=B (A) = (B) Example satisiability problem: g(g(g(x)))=x g(g(g(g(g(x)))))=x g(x) x More Satisying Examples Theory o Linear Arithmetic Symbols:, =, +, -, integers Example: y > 2x + 1, x > 1, y < 0 is unsat Satisiability problem is in P (loosely, no multiplication means no tricky encodings) Theory o Lists Symbols: cons, head, tail, nil head(cons(a,b)) = A tail(cons(a,b) = B Theorem: head(x) = head(y) tail(x) = tail(y) x = y #15 #16 Mixed Theories Oten we have acts involving symbols rom multiple theories E s symbols =,,, g, (uninterp unction equality) R s symbols =,, +, -,, 0, 1, (linear arithmetic) Running Example (and Fact): x y y + z x 0 z ((x) (y)) = (z) To prove this, we must decide: Unsat(x y, y + z x, 0 z, ((x) (y)) (z)) We may have a sat procedure or each theory E s sat procedure by Ackermann in 1924 R s proc by Fourier The sat proc or their combination is much harder Only in 1979 did we get E+R #17 Satisiability o Mixed Theories Unsat(x y, y + z x, 0 z, ((x) (y)) (z)) Can we just separate out the terms in Theory 1 rom the terms in Theory 2 and see i they are separately saisiable? No, unsound, equi-sat equivalent. The problem is that the two satisying assignments may be incompatible Idea (Nelson and Oppen): Each sat proc announces all equalities between variables that it discovers #18 3

4 Handling Multiple Theories We ll use cooperating decision procedures Each sat proc works on the literals it understands Sat procs share inormation (equalities) Consider Equality and Arith ((x) (y) (z) x y y + z x 0 z alse x = y (x) = (y) (x) (y) = z ((x) (y)) = (z) y x 0 = z How can we do this in our prover? #19 #20 Nelson-Oppen: The E-DAG Represent all terms in one Equivalence DAG Node names act as variables shared between theories! ((x) (y)) (z) y x x y + z z 0 - Nelson-Oppen: Processing Run each sat proc Report all contradictions (as usual) Report all equalities between nodes (key idea) - Implementation details: Use unionind to track node equivalence classes in E-DAG. When merging A=B, also merge (A)=(B). + + y x z 0 y x z 0 #21 #22 Nelson-Oppen: Processing Broadcast all discovered equalities Rerun sat procedures Until no more equalities or a contradiction - Contradiction X + y x z 0 Does It Work? I a contradiction is ound, then unsat This is sound i sat procs are sound Because only sound equalities are ever ound I there are no more equalities, then sat Is this complete? Have they shared enough ino? Are the two satisying assignments compatible? Yes! (Countable theories with ininite models admit isomorphic models, convex theories have necessary interpretations, etc.) #23 #24 4

5 Proos Checking proos ain t like dustin crops, boy! Proo Generation We want our theorem prover to emit proos No need to trust the prover Can ind bugs in the prover Can be used or proo-carrying code Can be used to extract invariants Can be used to extract models Implements the soundness argument On every run, a soundness proo is constructed #25 #26 Proo Representation Proos are trees Leaves are hypotheses/axioms Internal nodes are inerence rules Axiom: true introduction true Constant: truei : p p is the type o proos A B Inerence: conjunction introduction A B Constant: andi : p p p Inerence: conjunction elimination Constant: andel : p P Problem: A B A andel truei : p but does not represent a valid proo Need a more powerul type system that checks content truei andi andel Dependent Types Make p a amily o types indexed by ormulas : Type (type o encodings o ormulas) e : Type (type o encodings o expressions) p : Type (the type o proos indexed by ormulas: it is a proo that is true) Examples: true : and : truei : p true andi : p A p B p (and A B) andi : ΠA:. ΠB:. p A p B p (and A B) #27 #28 Proo Checking Validate proo trees by type-checking them Given a proo tree X claiming to prove A B Must check X : p (and A B) We use expression tree equality, so andel (andi 1+2=3 x=y ) does not have type p (3=3) This is already a proo system! I the proo-supplier wants to use the act that 1+2=3 3=3, she can include a proo o it somewhere! Thus Type Checking = Proo Checking And it s quite easily decidable! #29 Parametric Judgment Universal Introduction Rule o Inerence [a/x]a (a is resh) x. A We represent bound variables in the logic using bound variables in the meta-logic all : (e ) Example: x. x=x represented as (all (λx. eq x x)) Note: y. y=y has an α-equivalent representation Substitution is done by β-reduction in meta-logic [E/x](x=x) is (λx. eq x x) E #30 5

6 Parametric Proo Rules [a/x]a (a is resh) x. A Universal Introduction alli: ΠA:(e ). (Πa:e. p (A a)) p (all A) x. A [E/x]A Universal Elimination alle: ΠA:(e ). ΠE:e. p (all A) p (A E) Parametric Proo Rules x. A Existential Introduction existi: ΠA:(e ). ΠE:e. p (A E) p (exists A) Existential Elimination existe: ΠA:(e ). ΠB:. [E/x]A [a/x]a x. A B B p (exists A) (Πa:e. p (A a) p B) p B #31 #32 SAT-Based Theorem Provers Recall separation o concerns: #1 Prover handles connectives (,, ) #2 Sat procs handle literals (+,, 0, head) Idea: reduce proo obligation into propositional logic, eed to SAT solver (CVC) To Prove: 3*x=9 (x = 7 x 4) Becomes Prove: A (B C) Becomes Unsat: A (B C) Becomes Unsat: A ( B C) SAT-Based Theorem Proving To Prove: 3*x=9 (x = 7 x 4) Becomes Unsat: A ( B C) SAT Solver Returns: A=1, C=0 Ask sat proc: unsat(3*x=9, x 4) = true Add constraint: (A C) Becomes Unsat: A ( B C) (A C) SAT Solver Returns: A=1, B=0 Ask sat proc: unsat(3*x=9, x=7) = alse (x=3 is a satisying assignment) We re done! (original to-prove goal is alse) I SAT Solver returns no satisying assignment then original to-prove goal is true #33 #34 Homework Project Status Update Project Due Tue Apr 25 You have ~21 days to complete it. Need help? Stop by my oice or send . #35 6