Seminar in Software Engineering Presented by Dima Pavlov, November 2010
|
|
- Verity Blair
- 5 years ago
- Views:
Transcription
1 Seminar in Software Engineering Presented by Dima Pavlov, November 2010
2 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
3 CBMC allows verifying: Array bounds (buffer overflows) Pointer safety User-specified assertions Exceptions
4 Complex language features, such as: Bit vector operators (shifting, and, or, operator= (const BitVector &RHS) void swap ) Pointers, pointer arithmetic (ptr++;) Dynamic memory allocation: malloc/free Dynamic data types: char s[n]
5 CBMC is search for a counterexample in traces whose length is bounded by some integer n. If no bug is found then the bound n is increased until either a bug is found, a bound ensuring correctness is reached. problem gets to big/takes to much time The BMC problem can be efficiently reduced to a propositional satisfiability problem, and can therefore be solved by standard SAT methods
6
7 More than eight years on the market Was used to find previously unknown bugs in MS Windows device drivers Known to scale to programs with over 30K LOC
8 Developed at CMU and Oxford by Daniel Kroening et al.
9 CBMC logic SAT Full Model
10 Transform the program into a control flow graph (CFG)
11
12 Idea: Follow paths through the CFG to an assertion, and build a formula that corresponds to the path
13 We pass to a SAT solver and obtain a satisfying assignment, say:
14 Z3(Microsoft) -is a high-performance theorem prover Yicer(SRI) Boolector
15
16 We do not want the program to Main Idea: Given a program and a claim use ark SAT-solver crash-what to find whether there exists an execution that violates the claim. SAT result do we want? Program Claim Analysis Engine CNF SAT Solver SAT (counterexample exists) UNSAT (no counterexample found)
17 Program Constraints De Morgan's laws int x; int y=8,z=0,w=0; if (x) z = y 1; else w = y + 1; assert (z == 7 w == 9) y = 8, z = x? y 1 : 0, w = x? 0 :y + 1, z!= 7, w!= 9 Looks for the opposite UNSAT no counterexample assertion always holds!
18 Program Constraints int x; int y=8,z=0,w=0; if (x) z = y 1; else w = y + 1; assert (z == 5 w == 9) y = 8, z = x? y 1 : 0, w = x? 0 :y + 1, z!= 5, w!= 9 SAT counterexample found! y = 8, x = 1, w = 0, z = 7
19 ? Why Lets assume that : t=65
20 SAT Solver can only explore finite length executions! Loops must be bounded (i.e., the analysis is incomplete) Program Claim Analysis Engine CNF SAT Solver Bound (n) SAT (counterexample exists) UNSAT (no counterexample of bound n is found)
21 CBMC ANSI C Model checker We have CBMC which transforms code into satisfying assignments SAT solves the satisfying assignments
22 For help cbmc help To see the list of claims cbmc --show-claims - To check a single claim cbmc --unwind n --claim x cbmc file1.c --show-claims --bounds-check --pointer-check
23 Like a compiler, CBMC takes the names of.c files as command line arguments. Like a linker CBMC then translates the program and merges the function definitions from the various.c files, just like a linker. But instead of producing a binary for execution, CBMC performs symbolic simulation on the program.
24 Yes, though this program is faulty, as the argv array might have only one element, and then the array access argv[2] is out of bounds. Now, run CBMC as follows: int puts(const char *s) { int main(int argc, char **argv) { int i; if(argc>=1) puts(argv[2]); Will it pass compilation?
25 cbmc file1.c --show-claims --boundscheck --pointer-check The two options instruct CBMC to look for errors related to pointers and array bounds --bounds-check --pointer-check cbmc file1.c --show-claims --bounds-check -- pointer-check
26 1. CBMC prints the list of properties it checks. 2. It largely determines the property it needs to check itself Whether one of these claims corresponds to a bug needs to be determined by further analysis=> One option for this analysis is symbolic simulation, which corresponds to a translation of the program into a formula. cbmc file1.c --show-vcc --bounds-check -- pointer-check
27 verification conditions A verification condition needs to be proven to be valid by a SAT solver in order to assert that the corresponding property holds. cbmc file1.c --bounds-check --pointer-check
28 int puts(const char *s) { int main(int argc, char **argv) { int i; if(argc>=1) puts(argv[2]); How can we fix the problem? int puts(const char *s) { int main(int argc, char **argv) { int i; if(argc>=2) puts(argv[2]);
29 CBMC is aimed at embedded software, and these kinds of programs usually have different entry points(does not need main function). Furthermore, CBMC is also useful for verifying program modules. int array[10]; cbmc file2.c --function sum int sum() { unsigned i, sum; sum=0; for(i=0; i<10; i++) sum+=array[i];
30 CBMC transforms the equation into CNF and passes it to a SAT solver CBMC can now detect that the equation is actually not valid, and thus, there is a bug in the program. It prints a counterexample trace
31 Tool Compiling/Run time Used in custom izable Testing on the Market Completeness Soundness mainly used for Language s JML Static checkers (ESC/Java2)/also Runtime checker By Nasa Highly 1997 No-false positive No- false negative java Blast Static instrumentation (Compile time) windows drivers No indentify each importan t executio n path 2002 Only If the verification succeeds a formal proof is created. No-false alarms c CBMC SSA windows drivers No Yes 2003 No- Only reports conterexamples Yes c/c++
32 Transform a programs into a set of equations Simplify control flow Unwind all of the loops Convert into Single Static Assignment (SSA) Convert into equations Solve with a SAT Solver
33 All side effect are removed e.g., j=i++ becomes j=i;i=i+1 Control Flow is made explicit continue, break replaced by goto All loops are simplified into one form for, do while replaced by while
34 All loops are unwound to check whether unwinding is sufficient special unwinding assertion claims are added If a program satisfies all of its claims and all unwinding assertions then it is correct! Same for backward goto jumps and recursive functions
35 void f(...) {... while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto
36 void f(...) {... if(cond) { Body; while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto
37 void f(...) {... if(cond) { Body; if(cond) { Body; while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto
38 void f(...) {... if(cond) { Body; if(cond) { Body; if(cond) { Body; while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits
39 void f(...) {... if(cond) { Body; if(cond) { Body; if(cond) { Body; assert(!cond); Remainder; Unwinding assertion while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits Positive correctness result! It is called High level worst case execution time (WCET), which is very appropriate for embedded software.
40 void f(...) { j = 1 while (j <= 2) j = j + 1; Remainder; void f(...) { j = 1 if(j <= 2) { j = j + 1; if(j <= 2) { j = j + 1; if(j <= 2) { j = j + 1; assert(!(j <= 2)); Remainder; unwind = 3
41 void f(...) { j = 1 while (j <= 10) j = j + 1; Remainder; unwind = 3 void f(...) { j = 1 if(j <= 10) { j = j + 1; if(j <= 10) { j = j + 1; if(j <= 10) { j = j + 1; assert(!(j <= 10)); Remainder;
42 Easy to transform when every variable is only assigned once! SSA Program x = a; y = x + 1; z = y 1; No ambiguity Constraints x = a && y = x + 1 && z = y 1 &&
43 When a variable is assigned multiple times, use a new variable for the RHS of each assignment Program SSA Program
44 Program SSA Program if (v) x = y; else x = z; w = x; if (v 0 ) x 0 = y 0 ; else x 1 = z 0 ; w 1 = x??; What should x be?
45 Program SSA Program if (v) x = y; else x = z; w = x; if (v 0 ) x 0 = y 0; else x 1 = z 0; x 2 = v 0? x 0 : x 1 ; w 1 = x 2 For each join point, add new variables with selectors
46
47 Developed in CMU and used for Windows CBMC +SAT=Full Model Running CBMC Compared to JML, BLAST How does it work- From code to formula
48 Thank you Meet at the computer lab
Introduction to CBMC: Part 1
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel, Sagar Chaki October 2, 2007 Many slides are courtesy of Daniel Kroening Bug Catching with SAT Solvers Main
More informationIntroduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 December 5, 2011 based on slides by Daniel Kroening Bug Catching with SAT-Solvers Main Idea: Given a program and a claim use
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationBounded Model Checking Of C Programs: CBMC Tool Overview
Workshop on Formal Verification and Analysis Tools, CFDVS, IIT-Bombay - Feb 21,2017 Bounded Model Checking Of C Programs: CBMC Tool Overview Prateek Saxena CBMC Developed and Maintained by Dr Daniel Kröning
More informationBounded Model Checking. Mooly Sagiv Slides from Arie Gurfinkel & Sagar Chaki, Daniel Jackson, Shahar Maoz
Bounded Model Checking Mooly Sagiv Slides from Arie Gurfinkel & Sagar Chaki, Daniel Jackson, Shahar Maoz Automatic Program Verification Program P Desired Properties Solver Is there a behavior of P that
More informationApplication of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim
Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim 2 Solving Various Problems using SAT Solver Sudoku Puzzle Encoding 1 Encoding 2 Verify/Testing C Programs Encoding 3
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationHandling Loops in Bounded Model Checking of C Programs via k-induction
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Handling Loops in Bounded Model Checking of C Programs via k-induction Mikhail Y. R. Gadelha, Hussama I. Ismail, and
More informationCS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan Remember Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas
More informationAutomated Test Generation using CBMC
Automated Test Generation using CBMC Rui Gonçalo CROSS Project Computer Science Department University of Minho December 2012 Automated Test Generation using CBMC Summary 2/61 Summary 1 Software Testing
More informationAbstraction techniques for Floating-Point Arithmetic
Abstraction techniques for Floating-Point Arithmetic Angelo Brillout 1, Daniel Kroening 2 and Thomas Wahl 2 1 ETH Zurich, 2 Oxford University ETH Zürich Floating-Point Arithmetic (FPA) Used for embedded
More information: A Bounded Model Checking Tool to Verify Qt Applications
23 rd International SPIN symposium on Model Checking of Software : A Bounded Model Checking Tool to Verify Qt Applications Mário A. P. Garcia, Felipe R. Monteiro, Lucas C. Cordeiro, and Eddie B. de Lima
More informationModel Checking Embedded C Software using k-induction and Invariants
FEDERAL UNIVERSITY OF RORAIMA and FEDERAL UNIVESITY OF AMAZONAS Model Checking Embedded C Software using k-induction and Invariants Herbert Rocha, Hussama Ismail, Lucas Cordeiro and Raimundo Barreto Agenda
More informationSMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva
SMT-Based Bounded Model Checking for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva b.fischer@ecs.soton.ac.uk Bounded Model Checking (BMC) Basic Idea: check negation of given
More informationApplications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo
Applications of Logic in Software Engineering CS402, Spring 2016 Shin Yoo Acknowledgements I borrow slides from: Moonzoo Kim Theo C. Ruys (http://spinroot.com/spin/doc/ SpinTutorial.pdf) CBMC & Daniel
More informationMEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING
FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING Herbert Rocha, Raimundo Barreto,
More informationUNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES
FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES Herbert Oliveira
More informationThe Low-Level Bounded Model Checker LLBMC
The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Carsten Sinz Stephan Falke Florian Merz October 7, 2010 VERIFICATION MEETS ALGORITHM ENGINEERING KIT University of the State of
More informationSatisfiability Modulo Theories: ABsolver
Satisfiability Modulo Theories: ABsolver Michael Tautschnig Joint work with: Andreas Bauer Martin Leucker Christian Schallhart Michael Tautschnig 1 Outline 1. Introduction Michael Tautschnig 2 Outline
More informationContents. Program 1. Java s Integral Types in PVS (p.4 of 37)
Java s Integral Types in PVS Bart Jacobs bart@cs.kun.nl www.cs.kun.nl/ bart www.verificard.org. Dep. Computer Science, Univ. Nijmegen, NL Contents I. Example programs II. Integral types in Java (implementations)
More informationANSI-C Bounded Model Checker User Manual
ANSI-C Bounded Model Checker User Manual Edmund Clarke Daniel Kroening August 13, 2003 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Abstract We describe a tool that formally
More informationSAT-based Model Checking for C programs
SAT-based Model Checking for C programs Moonzoo Kim Provable Software Lab. CS Division of EE 1 Formal Methods Definition in Wikepedia Formal methods are mathematically-based techniques for the specification,
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More informationOn Reasoning about Finite Sets in Software Checking
On Reasoning about Finite Sets in Software Model Checking Pavel Shved Institute for System Programming, RAS SYRCoSE 2 June 2010 Static Program Verification Static Verification checking programs against
More informationBug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher
Bug Finding with Under-approximating Static Analyses Daniel Kroening, Matt Lewis, Georg Weissenbacher Overview Over- vs. underapproximating static analysis Path-based symbolic simulation Path merging Acceleration
More informationProving Properties of non-array Programs
Proving Properties of non-array Programs Thanks to Priyanka Darke Tata Research Development and Design Centre, Pune, India December 13, 2017 Copyright 2012 Tata Consultancy Services Limited 1 Background
More informationOn the Generation of Test Cases for Embedded Software in Avionics or Overview of CESAR
1 / 16 On the Generation of Test Cases for Embedded Software in Avionics or Overview of CESAR Philipp Rümmer Oxford University, Computing Laboratory philr@comlab.ox.ac.uk 8th KeY Symposium May 19th 2009
More informationCSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak
Computer-Aided Reasoning for Software CSE507 Practical Applications of SAT courses.cs.washington.edu/courses/cse507/18sp/ Emina Torlak emina@cs.washington.edu Today Past 2 lectures The theory and mechanics
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationRanking Functions for Loops with Disjunctive Exit-Conditions
Ranking Functions for Loops with Disjunctive Exit-Conditions Rody Kersten 1 Marko van Eekelen 1,2 1 Institute for Computing and Information Sciences (icis), Radboud University Nijmegen 2 School for Computer
More informationQUIZ. 1. Explain the meaning of the angle brackets in the declaration of v below:
QUIZ 1. Explain the meaning of the angle brackets in the declaration of v below: This is a template, used for generic programming! QUIZ 2. Why is the vector class called a container? 3. Explain how the
More informationProgram Verification. Aarti Gupta
Program Verification Aarti Gupta 1 Agenda Famous bugs Common bugs Testing (from lecture 6) Reasoning about programs Techniques for program verification 2 Famous Bugs The first bug: A moth in a relay (1945)
More informationCSC2108: Automated Verification Assignment 3. Due: November 14, classtime.
CSC2108: Automated Verification Assignment 3. Due: November 14, classtime. 1. Recall the notion of alternation depth in µ-calculus formulas. An alternation depth of a formula is one if results of a least
More informationC Code Verification based on the Extended Labeled Transition System Model
C Code Verification based on the Extended Labeled Transition System Model Dexi Wang, Chao Zhang, Guang Chen, Ming Gu, and Jiaguang Sun School of Software, TNLIST, Tsinghua University, China {dx-wang12,zhang-chao13,chenguan14}@mails.tsinghua.edu.cn
More informationA Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software
A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software Rovedy A. B. e Silva 1,2, Jose M. Parente de Oliveira 2, and Jorge Sousa Pinto 3 1 Aeronautics and Space
More informationStatic Program Analysis Part 1 the TIP language
Static Program Analysis Part 1 the TIP language http://cs.au.dk/~amoeller/spa/ Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Questions about programs Does the program terminate
More informationFormal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints
Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints L. Cordeiro, B. Fischer, H. Chen, J. P. Marques-Silva Lucas Cordeiro lcc08r@ecs.soton.ac.uk Agenda
More informationArray Initialization
Array Initialization Array declarations can specify initializations for the elements of the array: int primes[10] = { 2, 3, 5, 7, 11, 13, 17, 19, 23, 29 ; initializes primes[0] to 2, primes[1] to 3, primes[2]
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationECE264 Fall 2013 Exam 1, September 24, 2013
ECE264 Fall 2013 Exam 1, September 24, 2013 In signing this statement, I hereby certify that the work on this exam is my own and that I have not copied the work of any other student while completing it.
More informationCSE 351: The Hardware/Software Interface. Section 2 Integer representations, two s complement, and bitwise operators
CSE 351: The Hardware/Software Interface Section 2 Integer representations, two s complement, and bitwise operators Integer representations In addition to decimal notation, it s important to be able to
More informationSoftware Model Checking. From Programs to Kripke Structures
Software Model Checking (in (in C or or Java) Java) Model Model Extraction 1: int x = 2; int y = 2; 2: while (y
More informationProgram Verification (6EC version only)
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language
More informationConstraint-Based Search Strategies For Bounded Program Verification. Michel RUEHER
Constraint-Based For Bounded Program Verification Michel RUEHER University of Nice Sophia-Antipolis / I3S CNRS, France (joined work with Hélène COLLAVIZZA, Nguyen Le VINH and Pascal Van HENTENRYCK) January
More informationCS 510/13. Predicate Abstraction
CS 50/3 Predicate Abstraction Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs
More informationModel Checking and Its Applications
Model Checking and Its Applications Orna Grumberg Technion, Israel Verification and Deduction Mentoring Workshop July 13, 2018 1 Personal data Ph.d. in (non-automated) verification Postdoc in Model Checking
More informationCMPSC 497: Static Analysis
CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,
More informationQuantifying Information Leaks in Software
Quantifying Information Leaks in Software Jonathan Heusser, Pasquale Malacaria Queen Mary University of London 11. 10. 2016 Introduction High complexity associated with quantifying precise leakage quantities
More informationBOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH
BOOGIE A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH Presentation by Itsik Hefez Introduction Boogie is an intermediate verification language, intended as a layer on which
More informationUnited States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017
United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017 1. Do a page check: you should have 8 pages including this cover sheet. 2. You have 50 minutes
More informationComputer Components. Software{ User Programs. Operating System. Hardware
Computer Components Software{ User Programs Operating System Hardware What are Programs? Programs provide instructions for computers Similar to giving directions to a person who is trying to get from point
More informationAutomated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim Contents Automated Software Analysis Techniques Background Concolic testing process Example of concolic
More informationAnalysis/Bug-finding/Verification for Security
Analysis/Bug-finding/Verification for Security VIJAY GANESH University of Waterloo Winter 2013 Analysis/Test/Verify for Security Instrument code for testing Heap memory: Purify Perl tainting (information
More informationVerifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China
Verifying Temporal Properties via Dynamic Program Execution Zhenhua Duan Xidian University, China Main Points Background & Motivation MSVL and Compiler PPTL Unified Program Verification Tool Demo Conclusion
More informationStatic Analysis in C/C++ code with Polyspace
1 Static Analysis in C/C++ code with Polyspace Yongchool Ryu Application Engineer gary.ryu@mathworks.com 2016 The MathWorks, Inc. 2 Agenda Efficient way to find problems in Software Category of Static
More informationResearch Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001
Research Collection Other Conference Item Formal background and algorithms Author(s): Biere, Armin Publication Date: 2001 Permanent Link: https://doi.org/10.3929/ethz-a-004239730 Rights / License: In Copyright
More informationBasic C Programming (2) Bin Li Assistant Professor Dept. of Electrical, Computer and Biomedical Engineering University of Rhode Island
Basic C Programming (2) Bin Li Assistant Professor Dept. of Electrical, Computer and Biomedical Engineering University of Rhode Island Data Types Basic Types Enumerated types The type void Derived types
More informationDecision Procedures. An Algorithmic Point of View. Bit-Vectors. D. Kroening O. Strichman. Version 1.0, ETH/Technion
Decision Procedures An Algorithmic Point of View Bit-Vectors D. Kroening O. Strichman ETH/Technion Version 1.0, 2007 Part VI Bit-Vectors Outline 1 Introduction to Bit-Vector Logic 2 Syntax 3 Semantics
More information05-01 Discussion Notes
05-01 Discussion Notes PIC 10B Spring 2018 1 Exceptions 1.1 Introduction Exceptions are used to signify that a function is being used incorrectly. Once an exception is thrown, it is up to the programmer
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationApplying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems
V Brazilian Symposium on Computing Systems Engineering Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems Alessandro Trindade, Hussama Ismail, and Lucas Cordeiro Foz
More informationIntegrating a SAT Solver with Isabelle/HOL
Integrating a SAT Solver with / Tjark Weber (joint work with Alwen Tiu et al.) webertj@in.tum.de First Munich-Nancy Workshop on Decision Procedures for Theorem Provers March 6th & 7th, 2006 Integrating
More informationInterpolation-based Software Verification with Wolverine
Interpolation-based Software Verification with Wolverine Daniel Kroening 1 and Georg Weissenbacher 2 1 Computer Science Department, Oxford University 2 Department of Electrical Engineering, Princeton University
More informationProgramming in C. What is C?... What is C?
C Programming in C UVic SEng 265 Developed by Brian Kernighan and Dennis Ritchie of Bell Labs Earlier, in 1969, Ritchie and Thompson developed the Unix operating system We will be focusing on a version
More informationProgramming in C UVic SEng 265
Programming in C UVic SEng 265 Daniel M. German Department of Computer Science University of Victoria 1 SEng 265 dmgerman@uvic.ca C Developed by Brian Kernighan and Dennis Ritchie of Bell Labs Earlier,
More informationBITCOIN MINING IN A SAT FRAMEWORK
BITCOIN MINING IN A SAT FRAMEWORK Jonathan Heusser @jonathanheusser DISCLAIMER JUST TO BE CLEAR.. This is research! Not saying ASICs suck I am not a cryptographer, nor SAT solver guy WTF REALISED PHD RESEARCH
More informationP.G.TRB - COMPUTER SCIENCE. c) data processing language d) none of the above
P.G.TRB - COMPUTER SCIENCE Total Marks : 50 Time : 30 Minutes 1. C was primarily developed as a a)systems programming language b) general purpose language c) data processing language d) none of the above
More informationDynamic memory allocation
Dynamic memory allocation outline Memory allocation functions Array allocation Matrix allocation Examples Memory allocation functions (#include ) malloc() Allocates a specified number of bytes
More informationToday s Learning Objectives
Today s Learning Objectives 15-123 Systems Skills in C and Unix We will Review ints and modular arithmetic Learn basic Data types and Formats How Conditionals and loops work How Arrays are defined, accessed,
More informationVerifying C & C++ with ESBMC
Verifying C & C++ with ESBMC Denis A Nicole dan@ecs.soton.ac.uk CyberSecuritySoton.org [w] @CybSecSoton [fb & tw] ESBMC ESBMC, the Efficient SMT-Based Context-Bounded Model Checker was originally developed
More informationSystem LAV and Its Applications
Progress in Decision Procedures: From Formalizations to Applications Belgrade, March 30, 2013. Overview, Viktor Kuncak Development and Evaluation of : an SMT-Based Error Finding Platform. Verified Software:
More informationAn Eclipse Plug-in for Model Checking
An Eclipse Plug-in for Model Checking Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala Electrical Engineering and Computer Sciences University of California, Berkeley, USA Rupak Majumdar Computer Science
More informationHigh Performance Computing MPI and C-Language Seminars 2009
High Performance Computing - Seminar Plan Welcome to the High Performance Computing seminars for 2009. Aims: Introduce the C Programming Language. Basic coverage of C and programming techniques needed
More informationDeductive Methods, Bounded Model Checking
Deductive Methods, Bounded Model Checking http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Deductive methods Pavel Parízek Deductive Methods, Bounded
More informationSMT-Based Bounded Model Checking for Embedded ANSI-C Software
1 SMT-Based Bounded Model Checking for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, and Joao Marques-Silva Abstract Propositional bounded model checking has been applied successfully to verify
More informationDSVerifier: A Bounded Model Checking Tool for Digital Systems
DSVerifier: A Bounded Model Checking Tool for Digital Systems Hussama I. Ismail, Iury V. Bessa, Lucas C. Cordeiro, Eddie B. de Lima Filho and João E. Chaves Filho Electronic and Information Research Center
More informationC Bounded Model Checker
C Bounded Model Checker Targeting arbitrary ANSI-C programs Bit vector operators ( >>,
More informationOutline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions
Outline Introduction SDV Motivation Model vs Real Implementation SIC SDVRP SAM-2 Comparisons Conclusions SDV Research Platform Academic release of SDV (Static Driver Verifier), based on the code that ships
More informationfinding vulnerabilities
cs6 42 computer security finding vulnerabilities adam everspaugh ace@cs.wisc.edu hw1 Homework 1 will be posted after class today Due: Feb 22 Should be fun! TAs can help with setup Use Piazza as first step
More informationESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer
ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC: SMT-based BMC of single- and multi-threaded software exploits SMT solvers and their
More informationDecision Procedures in the Theory of Bit-Vectors
Decision Procedures in the Theory of Bit-Vectors Sukanya Basu Guided by: Prof. Supratik Chakraborty Department of Computer Science and Engineering, Indian Institute of Technology, Bombay May 1, 2010 Sukanya
More informationShort Notes of CS201
#includes: Short Notes of CS201 The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with < and > if the file is a system
More informationCPSC 3740 Programming Languages University of Lethbridge. Control Structures
Control Structures A control structure is a control statement and the collection of statements whose execution it controls. Common controls: selection iteration branching Control Structures 1 15 Howard
More informationImproving the Automatic Test Generation process for Coverage Analysis using CBMC
Improving the Automatic Test Generation process for Coverage Analysis using CBMC Damiano Angeletti 1, Enrico Giunchiglia 2, Massimo Narizzano 2, Gabriele Palma 2, Alessandra Puddu 2, and Salvatore Sabina
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationCUTE: A Concolic Unit Testing Engine for C
CUTE: A Concolic Unit Testing Engine for C Koushik Sen Darko Marinov Gul Agha University of Illinois Urbana-Champaign Goal Automated Scalable Unit Testing of real-world C Programs Generate test inputs
More informationVerification and Test with Model-Based Design
Verification and Test with Model-Based Design Flight Software Workshop 2015 Jay Abraham 2015 The MathWorks, Inc. 1 The software development process Develop, iterate and specify requirements Create high
More informationCS201 - Introduction to Programming Glossary By
CS201 - Introduction to Programming Glossary By #include : The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with
More informationA Bounded Model Checker for SPARK Programs
A Bounded Model Checker for SPARK Programs Cláudio Belo Lourenço, Maria João Frade, and Jorge Sousa Pinto HASLab/INESC TEC & Universidade do Minho, Portugal Abstract. This paper discusses the design and
More informationLecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning
Lecture 1 Contracts 15-122: Principles of Imperative Computation (Fall 2018) Frank Pfenning In these notes we review contracts, which we use to collectively denote function contracts, loop invariants,
More informationProgramming in C. What is C?... What is C?
Programming in C UVic SEng 265 C Developed by Brian Kernighan and Dennis Ritchie of Bell Labs Earlier, in 1969, Ritchie and Thompson developed the Unix operating system We will be focusing on a version
More informationLexical Considerations
Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science 6.035, Fall 2005 Handout 6 Decaf Language Wednesday, September 7 The project for the course is to write a
More informationAutomatic Qualification of Abstract Interpretation-based Static Analysis Tools. Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013
Automatic Qualification of Abstract Interpretation-based Static Analysis Tools Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013 2 Functional Safety Demonstration of functional correctness Well-defined
More informationLecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning
Lecture 1 Contracts 15-122: Principles of Imperative Computation (Spring 2018) Frank Pfenning In these notes we review contracts, which we use to collectively denote function contracts, loop invariants,
More informationComputer Components. Software{ User Programs. Operating System. Hardware
Computer Components Software{ User Programs Operating System Hardware What are Programs? Programs provide instructions for computers Similar to giving directions to a person who is trying to get from point
More informationMemory Allocation in C
Memory Allocation in C When a C program is loaded into memory, it is organized into three areas of memory, called segments: the text segment, stack segment and heap segment. The text segment (also called
More informationCYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security
CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 5 Readings 2 Secure Coding String management Pointer Subterfuge
More informationCSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak
CSE 403: Software Engineering, Fall 2016 courses.cs.washington.edu/courses/cse403/16au/ Static Analysis Emina Torlak emina@cs.washington.edu Outline What is static analysis? How does it work? Free and
More informationContents of Lecture 3
Contents of Lecture 3 Repetition of matrices double a[3][4]; double* b; double** c; Terminology Linkage Types Conversions Jonas Skeppstedt (js@cs.lth.se) Lecture 3 2014 1 / 33 A global matrix: double a[3][4]
More informationOn Search Strategies for Constraint-Based Bounded Model Checking. Michel RUEHER
raft On Search Strategies for Constraint-Based Bounded Model Checking Michel RUEHER Joined work with Hélène Collavizza, Nguyen Le Vinh, Olivier Ponsini and Pascal Van Hentenryck University Nice Sophia-Antipolis
More information