Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Transcription

1 Seminar in Software Engineering Presented by Dima Pavlov, November 2010

2 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions

3 CBMC allows verifying: Array bounds (buffer overflows) Pointer safety User-specified assertions Exceptions

4 Complex language features, such as: Bit vector operators (shifting, and, or, operator= (const BitVector &RHS) void swap ) Pointers, pointer arithmetic (ptr++;) Dynamic memory allocation: malloc/free Dynamic data types: char s[n]

5 CBMC is search for a counterexample in traces whose length is bounded by some integer n. If no bug is found then the bound n is increased until either a bug is found, a bound ensuring correctness is reached. problem gets to big/takes to much time The BMC problem can be efficiently reduced to a propositional satisfiability problem, and can therefore be solved by standard SAT methods

6

7 More than eight years on the market Was used to find previously unknown bugs in MS Windows device drivers Known to scale to programs with over 30K LOC

8 Developed at CMU and Oxford by Daniel Kroening et al.

9 CBMC logic SAT Full Model

10 Transform the program into a control flow graph (CFG)

11

12 Idea: Follow paths through the CFG to an assertion, and build a formula that corresponds to the path

13 We pass to a SAT solver and obtain a satisfying assignment, say:

14 Z3(Microsoft) -is a high-performance theorem prover Yicer(SRI) Boolector

15

16 We do not want the program to Main Idea: Given a program and a claim use ark SAT-solver crash-what to find whether there exists an execution that violates the claim. SAT result do we want? Program Claim Analysis Engine CNF SAT Solver SAT (counterexample exists) UNSAT (no counterexample found)

17 Program Constraints De Morgan's laws int x; int y=8,z=0,w=0; if (x) z = y 1; else w = y + 1; assert (z == 7 w == 9) y = 8, z = x? y 1 : 0, w = x? 0 :y + 1, z!= 7, w!= 9 Looks for the opposite UNSAT no counterexample assertion always holds!

18 Program Constraints int x; int y=8,z=0,w=0; if (x) z = y 1; else w = y + 1; assert (z == 5 w == 9) y = 8, z = x? y 1 : 0, w = x? 0 :y + 1, z!= 5, w!= 9 SAT counterexample found! y = 8, x = 1, w = 0, z = 7

19 ? Why Lets assume that : t=65

20 SAT Solver can only explore finite length executions! Loops must be bounded (i.e., the analysis is incomplete) Program Claim Analysis Engine CNF SAT Solver Bound (n) SAT (counterexample exists) UNSAT (no counterexample of bound n is found)

21 CBMC ANSI C Model checker We have CBMC which transforms code into satisfying assignments SAT solves the satisfying assignments

22 For help cbmc help To see the list of claims cbmc --show-claims - To check a single claim cbmc --unwind n --claim x cbmc file1.c --show-claims --bounds-check --pointer-check

23 Like a compiler, CBMC takes the names of.c files as command line arguments. Like a linker CBMC then translates the program and merges the function definitions from the various.c files, just like a linker. But instead of producing a binary for execution, CBMC performs symbolic simulation on the program.

24 Yes, though this program is faulty, as the argv array might have only one element, and then the array access argv[2] is out of bounds. Now, run CBMC as follows: int puts(const char *s) { int main(int argc, char **argv) { int i; if(argc>=1) puts(argv[2]); Will it pass compilation?

25 cbmc file1.c --show-claims --boundscheck --pointer-check The two options instruct CBMC to look for errors related to pointers and array bounds --bounds-check --pointer-check cbmc file1.c --show-claims --bounds-check -- pointer-check

26 1. CBMC prints the list of properties it checks. 2. It largely determines the property it needs to check itself Whether one of these claims corresponds to a bug needs to be determined by further analysis=> One option for this analysis is symbolic simulation, which corresponds to a translation of the program into a formula. cbmc file1.c --show-vcc --bounds-check -- pointer-check

27 verification conditions A verification condition needs to be proven to be valid by a SAT solver in order to assert that the corresponding property holds. cbmc file1.c --bounds-check --pointer-check

28 int puts(const char *s) { int main(int argc, char **argv) { int i; if(argc>=1) puts(argv[2]); How can we fix the problem? int puts(const char *s) { int main(int argc, char **argv) { int i; if(argc>=2) puts(argv[2]);

29 CBMC is aimed at embedded software, and these kinds of programs usually have different entry points(does not need main function). Furthermore, CBMC is also useful for verifying program modules. int array[10]; cbmc file2.c --function sum int sum() { unsigned i, sum; sum=0; for(i=0; i<10; i++) sum+=array[i];

30 CBMC transforms the equation into CNF and passes it to a SAT solver CBMC can now detect that the equation is actually not valid, and thus, there is a bug in the program. It prints a counterexample trace

31 Tool Compiling/Run time Used in custom izable Testing on the Market Completeness Soundness mainly used for Language s JML Static checkers (ESC/Java2)/also Runtime checker By Nasa Highly 1997 No-false positive No- false negative java Blast Static instrumentation (Compile time) windows drivers No indentify each importan t executio n path 2002 Only If the verification succeeds a formal proof is created. No-false alarms c CBMC SSA windows drivers No Yes 2003 No- Only reports conterexamples Yes c/c++

32 Transform a programs into a set of equations Simplify control flow Unwind all of the loops Convert into Single Static Assignment (SSA) Convert into equations Solve with a SAT Solver

33 All side effect are removed e.g., j=i++ becomes j=i;i=i+1 Control Flow is made explicit continue, break replaced by goto All loops are simplified into one form for, do while replaced by while

34 All loops are unwound to check whether unwinding is sufficient special unwinding assertion claims are added If a program satisfies all of its claims and all unwinding assertions then it is correct! Same for backward goto jumps and recursive functions

35 void f(...) {... while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto

36 void f(...) {... if(cond) { Body; while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto

37 void f(...) {... if(cond) { Body; if(cond) { Body; while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto

38 void f(...) {... if(cond) { Body; if(cond) { Body; if(cond) { Body; while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits

39 void f(...) {... if(cond) { Body; if(cond) { Body; if(cond) { Body; assert(!cond); Remainder; Unwinding assertion while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits Positive correctness result! It is called High level worst case execution time (WCET), which is very appropriate for embedded software.

40 void f(...) { j = 1 while (j <= 2) j = j + 1; Remainder; void f(...) { j = 1 if(j <= 2) { j = j + 1; if(j <= 2) { j = j + 1; if(j <= 2) { j = j + 1; assert(!(j <= 2)); Remainder; unwind = 3

41 void f(...) { j = 1 while (j <= 10) j = j + 1; Remainder; unwind = 3 void f(...) { j = 1 if(j <= 10) { j = j + 1; if(j <= 10) { j = j + 1; if(j <= 10) { j = j + 1; assert(!(j <= 10)); Remainder;

42 Easy to transform when every variable is only assigned once! SSA Program x = a; y = x + 1; z = y 1; No ambiguity Constraints x = a && y = x + 1 && z = y 1 &&

43 When a variable is assigned multiple times, use a new variable for the RHS of each assignment Program SSA Program

44 Program SSA Program if (v) x = y; else x = z; w = x; if (v 0 ) x 0 = y 0 ; else x 1 = z 0 ; w 1 = x??; What should x be?

45 Program SSA Program if (v) x = y; else x = z; w = x; if (v 0 ) x 0 = y 0; else x 1 = z 0; x 2 = v 0? x 0 : x 1 ; w 1 = x 2 For each join point, add new variables with selectors

46

47 Developed in CMU and used for Windows CBMC +SAT=Full Model Running CBMC Compared to JML, BLAST How does it work- From code to formula

48 Thank you Meet at the computer lab