Embedded Software Verification Challenges and Solutions. Static Program Analysis

Size: px

Start display at page:

Download "Embedded Software Verification Challenges and Solutions. Static Program Analysis"

Betty Long
6 years ago
Views:

1 Embedded Software Verification Challenges and Solutions Static Program Analysis Chao Wang NEC Labs America Princeton, NJ ICCAD Tutorial November 11,

2 Outline What programs? Program verification using verification condition generation Static Program Analysis Predicate Abstraction Bounded Model Checking (BMC) 2

3 Static Program Analysis Static program analysis consists of automatically discovering properties of a program that hold for all possible execution paths of the program. 3

4 Motivation Properties C program To supplement model checking (MC/BMC) Automated checkers Static Analyses Proof Start with accurate program modeling Bug Refinement Predicate Abstraction Apply static analyses Find easy proofs, and eliminate MC checks Generate invariants Simplify model for MC Counterexample Analysis FSM Model Model Checker Proof Does it work? 4

5 Static Program Analysis Modeling C programs Model extraction and reduction Numerical abstract domains Interval, Octagon, Polyhedral, Meet, Join, Post, Subset, Fix-point computation Polyhedral power-set domains Widening / Extrapolation Industrial experience 5

6 Model Extraction and Reduction C Program 1: void bar() { 2: int x = 3, y = x-3 ; 3: while ( x <= 4 ) { 4: y++ ; 5: x = foo(x); 6: } 7: y = foo(y); 8: } 9: 10: int foo ( int l ) { 11: int t = l+2 ; 12: if ( t>6 ) 13: t - = 3; 14: else 15: t --; 16: return t; 17: } Transformed C Program CFG Control Flow Graph? W X Symbolic FSM Model M = (S,s0,TR,L) Present State Source-to-source transformations Transition Relation Latches For modeling pointers, arrays, structures Control Flow Graph: Intermediate Representation Well-studied optimizations for model reduction Separating model building from model checking Static Program Analysis conducted on CFG Next State O Y 6

7 Source-to-source Transformations Handling Programming Language (C) Features Pointers are replaced by introducing auxiliary variables [Semeria & DeMicheli 98] Arrays and structures are flattened, i.e. each element/field modeled individually Every variable is assigned a logical address (integer) Adjacent addresses are given consecutive numbers, to model pointer arithmetic Automatic checker instrumentation 7

8 Modeling Pointers int *p; int x,y; p=&x; p=&y; *p=expr; assert(x> 10) Introduce (p ) to track *p Reads/writes as conditional assignments [Semeria & De Micheli 98] Uint p; int p ; int x,y; p=&x; p =x; p=&y; p =y; p =expr; x= (p==&x)?expr:x; y= (p==&y)?expr:y; points-to( p ) = {x, y} assert(x > 10) Compute sound points-to sets [Steensgaard 96] 8

9 Modeling Structures struct S { int i ; float f ; char c ; } s[3] ; int s_i[3]; float s_f[3]; char s_c[3]; Custom memory model Arrays and structures are flattened (up to a fixed depth) Each variable gets a memory address (integer number) Impact of this field-sensitive structure flattening All static analyses become field-sensitive Increase applicability of numeric abstract domains (intervals, octagons, polyhedral, ) 9

10 Adding Checkers Assertions added for array/pointer/string accesses Array buffer overflow checks ptrlo(p) and ptrhi(p) added, to track safe region in memory Pointer validity check ptrvalid(p) variable added, to track whether null or not String bugs strlen(p), fwdbnds(p) added, to track pointer and string length 10

11 Example int A[N], B[N]; int equals () { int i=n, j=n ; int result=1 ; } while ( i > 0 ) { i--; j--; if ( A[i]!= B[j] ) result = 0 ; } return result ; Checkers inserted int A[N], B[N]; void arraymodel () { int i=n, j=n ; int result=1; while ( i > 0 ) { i--; j--; if ( i<0 i>=n) ERROR() ; if ( j<0 j>=n) ERROR() ; if ( A[i]!= B[j] ) result = 0; } } 11

12 Control Flow Graph Line 2 1: void bar() { 2: int x = 3, y = x-3 ; 3: while ( x <= 4 ) { 4: y++ ; 5: x = foo(x); 6: } 7: y = foo(y); 8: } 9: 10: int foo ( int l ) { 11: int t = l+2 ; 12: if ( t>6 ) 13: t - = 3; 14: else 15: t --; 16: return t; 17: } Line 5 (return) Line 7 (return) Basic block w/ parallel assignments Line 3 Line 7 (call) Line 13 Line 16 Line 15 Line 4 Line 5 (call) Lines 11-12,14 12

13 Control Flow Graph Line 2 1: void bar() { 2: int x = 3, y = x-3 ; 3: while ( x <= 4 ) { 4: y++ ; 5: x = foo(x); 6: } 7: y = foo(y); 8: } 9: 10: int foo ( int l ) { 11: int t = l+2 ; 12: if ( t>6 ) 13: t - = 3; 14: else 15: t --; 16: return t; 17: } Line 5 (return) Line 7 (return) Line 3 Line 7 (call) Line 13 Line 16 Line 15 Line 4 Line 5 (call) Lines 11-12,14 13

14 Numerical Program Yields a CFG with only int type variables, i.e. a numerical program Recursive function calls using a bounded call stack Recursive data up to a bounded depth It s a EFSM (you can run model checking) 00 s = x+2; t > 6 t = x-1;! (t > 6) t- = 3; t--; s += t; 11 CFG => State (control + data) Machine Basic blocks => control states (PC variables) Program variables => data states Guarded transitions => TR for control states Parallel assignments => TR for data states Loop back-edges => transitions between control FSMs: Bit-precise accurate models Extended FSMs: finite control, but integer data (infinite) But wait without model reduction, that would be too expensive! 14

15 Simplify the model first Properties Automated Bug checkers Bug Testbench Generator Ctrex Analysis & Refinement Source code (C, stubs) Static Analysis Abstraction Model Transformation, Translation Model Checker (VeriSol) Program slicing Range analysis Invariant generation Polyhedral analysis Predicate Abstraction Proof 15

16 Program Slicing Removes irrelevant variables and code Forward slicing removes code not reachable from the main function Backward (property-specific) slicing removes code not affecting the correctness of given property void arithmetic(int *A, int n) { int sum=0, prod=1, mean=0; int i = 0 ; while ( i < n ) { sum += A[i] ; product *= A[i] ; mean += A[i]/n; i++ ; } assert( exp(sum) ); } original program void arithmetic(int *A, int n) { int sum=0, prod=1, mean=0; int i = 0 ; while ( i < n ) { sum += A[i] ; prod *= A[i] ; mean += A[i]/n; i++ ; } assert( exp(sum) ); } slice with respect to sum 16

17 Static Invariant Generation int A[N], B[N]; int equals () { int i=n, j=n ; int result=1 ; while ( i > 0 ) { i--; j--; if ( A[i]!= B[j] ) result = 0 ; } return result ; } Checkers inserted int A[N], B[N]; void arraymodel () { int i=n, j=n ; int result=1; while ( i > 0 ) { i--; j--; if ( i<0 i>=n) ERROR() ; if ( j<0 j>=n) ERROR() ; if ( A[i]!= B[j] ) result = 0; } Because of invariants at if-statements no error Difficult to prove by model checking (large N) Difficult to prove by predicate abstraction refinement Invariants: 0 i N 0 j N i==j Such invariants can be easily discovered by abstract interpretation } [Cousot & Cousot 77] 17

18 Abstract Interpretation A general framework for designing static program analyzers Abstract domains Inclusion, join, meet, projection, Abstract program semantics Abstract post condition Fixpoint computation Widening, narrowing 18

19 Program Semantics Concrete semantics: (Σ, ) s = program location, state s s' Abstract semantics: (Σ, ) Ŝ = program location, abstract state Ŝ Ŝ ' 19

20 Abstract Domains Sets: a1, a2, a Inclusion: a1 a2 imposes a partial order Join: a = a1 U a2 is the smallest set: a1 a, a2 a Used at join point of the CFG Meet: a = a1 a2 is the largest set: a a1, a a2 Used at the conditional branches of the CFG Abstract post condition: transfer function Model the effect of assignment Widening ( ) and narrowing ( ) to enforce convergence and improve solution Often Used at the back edges of loops 20

21 Program Semantics Concrete semantics: (Σ, ) s = program location, state s s' 1: n = k = 0; 2: while n < 10 do 3: n = n + 1; 4: k = k + n; 5: end 3,n=0^k=0 4,n=1 ^k=0 3,n=1^k=1 4,n=2 ^k=0... 3,n=9^k=45 4,n=10^k=45 21

22 Reachability Computation 1: n = k = 0; 2: while n < 10 do 3: n = n + 1; 4: k = k + n; 5: end Two choices: 1. Stay precise but store frontier set only 2. Over-approximate the state set F1 = { 1, } F2 = { 1,, 2,n=0^k=0 } F3 = { 1,, 2,n=0^k=0, 3,n=0^k=0 } F4 = { 1,, 2,n=0^k=0, 3,n=0^k=0, 4,n=1^k=0 } F5 = { 1,, 2,n=0^k=0, 3,n=0^k=0 v n=1^k=1, 3,n=0^k=0, 4,n=1^k=0 }... Problems: (1) state set may blow up (2) may not terminate 22

23 Convex Polyhedral Set (Join) 1: n = k = 0; 2: while n < 10 do 3: n = n + 1; 4: k = k + n; 5: end Two choices: 1. Stay precise but store frontier set only 2. Use a convex set (an over-approximation) F1 = { 1, } F2 = { 1,, 2,n=0^k=0 } F3 = { 1,, 2,n=0^k=0, 3,n=1^k=0 } F4 = { 1,, 2,n=0^k=0, 3,n=1^k=0, 4,n=1^k=1 } F5 = { 1,, 2,n=0^k=0, 3,n>=0^n<=1^k>=0^k<=1, 3,n=1^k=0,...}... = { 1,, 2,n=0^k=0, 3,n>=0^n<=10^k>=0^k<=55, Fixpoint! 23

24 Convex Polyhedral Set (Join) 1: n = k = 0; 2: while n < 10 do 3: n = n + 1; 4: k = k + n; 5: end F1 = { 1, } F2 = { 1,, 2,n=0^k=0 } F3 = { 1,, 2,n=0^k=0, 3,n=1^k=0 } F4 = { 1,, 2,n=0^k=0, 3,n=1^k=0, 4,n=1^k=1 } F5 = { 1,, 2,n=0^k=0, 3,n>=0^n<=1^k>=0^k<=1, 3,n=1^k=0,...}... = { 1,, 2,n=0^k=0, 3,n>=0^n<=10^k>=0^k<=55, Fixpoint! 24

25 Polyhedral Power-Sets (frontier) 1: n = k = 0; 2: while n < 10 do 3: n = n + 1; 4: k = k + n; 5: end Two choices: 1. Stay precise but store frontier set only 2. Use a convex set (an over-approximation) F1 = { 1, } F2 = { 1,, 2,n=0^k=0 } F3 = { 1,, 2,n=0^k=0, 3,n=0^k=0 } F4 = { 1,, 2,n=0^k=0, 3,n=0^k=0, 4,n=1^k=0 } F5 = { 1,, 2,n=0^k=0, 3,n=1^k=1, 4,n=2^k=1 }... = { 1,, 2,n=0^k=0, 3,n=9^k=45, 4,n=10^k=45 } Fixpoint! Potential problems with this approach: termination! 25

26 The Middle Ground int x[10]; int len, ok; if ( len >= 0 && len < 10) ok = 1; else ok = 0;. if (ok) x[len] = 0; Required a Disjunctive Invariant: (ok=0) OR (ok =1 and 0 len< 10) Disjunctive union of polyhedra [Sankaranarayanan et al. 06] Fix the upper limit of disjuncts allowed in the abstract domain Heuristically merge at join points, or keep them separate Good performance vs. accuracy (~20% more proofs, 1.5X time) Still less time than power-set based model checking 26

27 Numerical Abstract Domains Interval domain [Cousot+Cousot 77] Ranges for the program variables (X in [10,15], Y in [50,90], ) Octagon domain [Miné 01] Difference expressions between variables (± x ± y c) Symbolic ranges [Sankaranarayanan et al. 07] Interval with linear expressions as ranges (x in [10,15], y in [exp1(x), exp2(y)], z in [exp1(x,y),exp2(x,y)], ) Polyhedral domain [Cousot + Halbwachs 79] Arbitrary linear invariants (Polyhedral) power-set domains Union of polyhedra (not a convex set) Proofs are valid, but bugs (lack of proofs) may be bogus Follow up with bit-precise model checking / BMC 27

28 BDDs + Polyhedral Powersets 9!rtr x>4 0 x<= t>6 6 5 t<=6 p 3 p 2 p 1 p 0 q 3 q 2 q 1 q 0 condition x<= x> t> t<= rtr= rtr= rtr 8 7 PC (program counter) expressions in Boolean logic (could use BDDs) Data expressions in integer domains (octagons, polyhedral,etc.) 28

29 Symbolic Transition Relation ( d c T = ) ( bi, bj E ) ti tij Transition from block bi b to block under condition t = ( P = i) ( x ' = e ) d X i k = 1 k ik c t = ( P = i ) ( P ' = j ) θ ( b, b ) ij i j j p 3 p 2 p 1 p 0 q 3 q 2 q 1 q 0 condition x<= x> t> t<= rtr= rtr= (pc=1 ^ pc =2) ^ (x<=4) ^ (y = y+1 ^ ) OR (pc=1 ^ pc =3) ^ (x>4 ) ^ (l = 1 ^ rtr = 1 ^ ) OR 29

30 Unified View: Composite Symbolic Computation Definition F F F :Boolean logic I :Presburger arithmetic R :Real linear constraints DNF B F : = F F F F F F B I R F = ( F F F ) CUDD for Omega library for i i i i B F F Parma Polyhedral Library for I B I R Existential Quantification by individual solvers in isolation! v, v, v. F = (( v. F ) ( v. F ) ( v. F )) B I R nf B B I I R R i= 1 i i i F R 30

31 Symbolic Fixpoint Computation Image of a set D of abstract states post( T, D) = ( X, P.( T ) D) ( bi, bj) E ij ( X / X ', P / P') = ( X, P. T D) ( bi, bj) E ij ( X / X ', P / P') Image is computed by BDD and polyhedral analysis separately based on the subformula types 31

32 Experiments Test Program Completed CPU Time (s) nonlinear appx. MIX m.c. [Yang et al. MEMOCODE 2006] Comparing MIX with other methods for reachability computation (T/O = 3600s) Name bvar depth BDDm.c. SATbmc BDDm.c. SATbmc bakery Y (68) Y 2 T/O 13 tcas-1a Y (103) Y 433 T/O 374 tcas-any (103) (100) Y T/O T/O 415 ppp Y (84) Y 687 T/O 51 mcf1_as Y (98) Y 150 T/O 2 * mcf2_afr Y (60) Y 110 T/O 5 mcf3_mrr Y (43) Y 190 T/O 4 bftpd_useringrp Y Y Y 1 T/O 1 bftpd_chkuser (0) (70) Y T/O T/O 20 bftpd_chkshell (0) (44) Y T/O T/O 48 bftpd_chkpasswd (10) (13) Y T/O T/O 760 MIX m.c. BDD: BDD-based model checking, SAT: SAT-based BMC, MIX: composite symbolic model checking 32

33 What If It doesn t Terminate? 33

34 What If It doesn t Terminate? 34

35 Widening (interval domain) [a, b] [a', b'] If a a' then a else - If b' b then b else + a a b b a 35

36 Widening (polyhedral domain) 36

37 Have more info about the expected result? 37

38 Widening Up-To (polyhedral domain) 38

39 Cooperative Framework Scalability F-Soft Static analysis engines Model Checking engines Accuracy Common decision procedures SAT solver, SMT solver, Octagon library, Polyhedra library Common program representation: Control Flow Graph Translation of CFG to representation for decision procedures Translation of witness back to CFG (when applicable) 39

40 When widening is too coarse 40

41 Extrapolation with a Care Set 41

42 CEX Driven Refinement of the Care Set 42

43 CEX Driven Refinement Iteratively tightening up the care set CEX driven refinement helps improving Join operator [Gulavani & Rajamani, 2006, 2008] Widening up-to operator [Halbwachs 93, 97] Extrapolation with care set [Wang et al. CAV 2007] 43

44 Experiments [Wang et al. CAV 2007] Automatic refinement of the Extrapolation with Care Set operator Combines precision of model checking and performance of static analysis 44

45 F-Soft Technology Transfer: Varvel Product Acknowledgement: Y. Hashimoto et al., NEC Statically detects typical run-time error for C from source code Currently in practical in-house use for commercial product software No test programs, No test data Source code to be verified Typical run-time error detection - Invalid pointer dereferencing - Array bounds violation - String operation errors - Memory management errors Listing results. Showing trace for each result working with editor. Assumption Approximation VARVEL Control flow graph (Bounded) Model Checking Exhaustive search Post processing Control flow graph Program Analysis Static analysis techniques similarly used in compilers Logical equations expressing finite state space Counter examples (Execution) path to cause errors. 45

46 Varvel: In-house Verification Service Acknowledgement: Y. Hashimoto et al., NEC Varvel is used to provide in-house Source code Verification Service Service provided by SW developers, not verification experts Verified source code of several commercial SW projects Total lines: about 3.7 MLOC in ~10 projects (up to 1.2 MLOC in one project) Verified source code had been already tested Found many bugs, subsequently confirmed by developers 46 46

47 Lessons Learned Accuracy of program modeling AND efficiency of analysis are crucial Conflicting requirements in general, but don t give up too early Harder to regain global precision (e.g. pointer aliasing info) from local refinements Advancements in symbolic constraint solvers (SAT, SMT) offer hope Sophisticated search heuristics and learning are useful for finding concrete traces (for bugs, for test inputs) More scalable than methods that store (concrete) states Model-specific constraints provide additional performance benefits Stage the analyses (cheaper methods first) in cooperative framework Difficult to handle MLOC, 1000s of properties: no silver bullet Stage the analyses to reduce model and # properties, and to improve precision Pay attention to proofs (provide useful abstractions/interpolants) STAGED ANALYSES Less # properties, Model simplification, More precise analysis Static Program Analysis Engines Intervals, Octagons, Sym ranges, Polyhedra Model Checking Engines SAT/SMT-based BMC, BDD+Omega 47

Verifying C Programs Using SAT-based Model Checking

Verifying C Programs Using SAT-based Model Checking Satisfiability Solvers and Program Verification (SSPV) August 11, 2006 Aarti Gupta agupta@nec-labs.com NEC Laboratories America Princeton Acknowledgements: