: A Bounded Model Checking Tool to Verify Qt Applications

Similar documents
Bounded Model Checking of C++ Programs based on the Qt Cross-Platform Framework (Journal-First Abstract)

Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems

Model Checking Embedded C Software using k-induction and Invariants

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

ECBS SMT-Bounded Model Checking of C++ Programs. Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas Cordeiro, Bernd Fischer

Handling Loops in Bounded Model Checking of C Programs via k-induction

Verifying C & C++ with ESBMC

DSVerifier: A Bounded Model Checking Tool for Digital Systems

System LAV and Its Applications

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

Bounded Model Checking Of C Programs: CBMC Tool Overview

Software Model Checking. Xiangyu Zhang

The Low-Level Bounded Model Checker LLBMC

Static program checking and verification

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

CSC2108: Automated Verification Assignment 3. Due: November 14, classtime.

Counterexample Guided Inductive Optimization Applied to Mobile Robot Path Planning SBR/LARS 2017

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

OptCE: A Counterexample-Guided Inductive Optimization Solver

Automatic Software Verification

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

SMT-Based Bounded Model Checking for Embedded ANSI-C Software

JBMC: A Bounded Model Checking Tool for Verifying Java Bytecode. Lucas Cordeiro Pascal Kesseli Daniel Kroening Peter Schrammel Marek Trtik

KLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND

More on Verification and Model Checking

Satisfiability Modulo Theories: ABsolver

Introduction to CBMC: Part 1

Program Verification. Aarti Gupta

The Spin Model Checker : Part I/II

Qt Introduction. Topics. C++ Build Process. Ch & Ch 3. 1) What's Qt? 2) How can we make a Qt console program? 3) How can we use dialogs?

BITCOIN MINING IN A SAT FRAMEWORK

PLDI 2016 Tutorial Automata-Based String Analysis

A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

C Code Verification based on the Extended Labeled Transition System Model

2 rd class Department of Programming. OOP with Java Programming

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher

Verification & Validation of Open Source

Model Checking of C and C++ with DIVINE 4

CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak

Automated Test Generation using CBMC

Qt Essentials - Fundamentals of Qt Module

Program Verification (6EC version only)

Quantifying Information Leaks in Software

Final CSE 131B Spring 2004

CSE 333 Lecture C++ final details, networks

CS 6V Program Analysis I: Dynamic Detection of Likely Invariants and Robust Signatures for Kernel Data Structure.

Encoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks

Pointers and scanf() Steven R. Bagley

Introduction to Programming Using Java (98-388)

Environment Modeling for Modular Software Analysis with Java PathFinder Part 1

ArgoSMTExpression: an SMT-LIB 2.0 compliant expression library

Model Checking with Automata An Overview

Common Misunderstandings from Exam 1 Material

Efficiently Solving Bit-Vector Problems Using Model Checkers

Do Less By Default BRUCE RICHARDSON - INTEL THOMAS MONJALON - MELLANOX

Static Analysis in C/C++ code with Polyspace

Encoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks

CS 510/13. Predicate Abstraction

On Search Strategies for Constraint-Based Bounded Model Checking. Michel RUEHER

Qt Essentials - Fundamentals of Qt Module

Constraint-Based Search Strategies For Bounded Program Verification. Michel RUEHER

SEMANTIC ANALYSIS TYPES AND DECLARATIONS

SimGrid MC 101. Getting Started with the SimGrid Model-Checker. Da SimGrid Team. April 11, 2017

Verifying Concurrent Programs

Automated Whitebox Fuzz Testing. by - Patrice Godefroid, - Michael Y. Levin and - David Molnar

Formal Specification and Verification

Main concepts to be covered. Testing and Debugging. Code snippet of the day. Results. Testing Debugging Test automation Writing for maintainability

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

SMT-Based Bounded Model Checking of C++ Programs

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

18-642: Code Style for Compilers

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Formal Methods for Java

Program Correctness and Efficiency. Chapter 2

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Qt + Maemo development

Patrick Trentin Formal Methods Lab Class, March 03, 2017

DART: Directed Automated Random Testing

Model Checking and Its Applications

arxiv: v1 [cs.ai] 11 Apr 2017

Design and Analysis of Distributed Interacting Systems

Overview of Timed Automata and UPPAAL

Predicate Abstraction Daniel Kroening 1

Array Initialization

Intro to Proving Absence of Errors in C/C++ Code

Announcements. Lecture 04b Header Classes. Review (again) Comments on PA1 & PA2. Warning about Arrays. Arrays 9/15/17

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

Software Architecture and Engineering: Part II

CSC System Development with Java. Exception Handling. Department of Statistics and Computer Science. Budditha Hettige

CSE 333 Lecture 9 - storage

LECTURE 3. Compiler Phases

C++ Crash Kurs. Exceptions. Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck

Assertion. C++ Object Oriented Programming Pei-yih Ting NTOU CS

Learning Loop Invariants for Program Verification

Transcription:

23 rd International SPIN symposium on Model Checking of Software : A Bounded Model Checking Tool to Verify Qt Applications Mário A. P. Garcia, Felipe R. Monteiro, Lucas C. Cordeiro, and Eddie B. de Lima Filho

Why should we ensure software reliability? Consumer electronic products must be as robust and bug-free as possible, given that even medium product-return rates tend to be unacceptable - In 2014, Apple revealed a bug known as Gotofail, which was caused by a single misplaced goto command in the code - Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS Apple Inc., 2014 - Mozilla browser has around 20,000 open bugs Michail, Amir. ICSE 05. It is important to adopt reliable verification methods, with the goal to ensure system correctness Model checking is an interesting approach, due to the possibility of automated verification

Model Checkers Limitations Verifiers should provide support regarding target language and system properties - However, verifiers present limitations to support linked libraries and development frameworks Java PathFinder is able to verify Java code, based on byte-code, but it does not support (full) verification of Java applications that rely on the Android operating system Efficient SMT-based context-bounded model checker (ESBMC++), can be employed to verify C/C++ code, but it does not support specific frameworks, such as Qt - these aspects restrict the range of applications to be verified

Qt Cross-Platform Framework Qt framework provides programs that run on different hardware/software platforms, with as few changes as possible, while maintaining the same power and speed. - Samsung, Philips, and Panasonic are some companies, on top 10 fortune 500 list, which apply Qt in their applications development Its libraries are organized into modules that rely on two main cores: - QtCore contains all non-graphical core classes - QtGUI provides a complete abstraction for the Graphical User Interface Additional Modules Qt Network Qt Multimedia Qt GUI Graphical user interface components QtCore Container Classes Qt Concurrent State Machines Qt Event System

Bounded Model Checking (BMC) Basic Idea: given a transition system M, check negation of a given propertyφup to given depth k Transition System ϕ 0 ϕ 1 ϕ 2 ϕ k-1 ϕ k... M 0 M 1 M 2 M k-1 M k Counterexample trace Property Bound Translated into a VC ψ such that: ψ is satisfiable iff φ has counterexample of max. depth k BMC has been applied successfully to verify (embedded) software since early 2000 s

Objectives Apply bounded model checking to Qt-based applications Develop a simplified implementation, which strictly provides the same behaviour of the Qt framework, focused on property verification Verify invalid memory access, time-period values, access to missing files, null pointers, string manipulation, container usage, among other properties of Qt applications Apply the proposed verification methodology to real world Qt-based applications, which is supported by ESBMC

ESBMC Architecture QtOM is an additional extension for the Efficient SMT-based Context- Bounded Model Checker (ESBMC++) to add support for Qt/C++ programs verification. Extract/Identify structure/properties Qt Documentation Adding assertions Qt Operational Model Qt/C++ Source Code Scan C++ Parser Scan IR Type Checked GOTO Converter GOTO Program Symbolic Execution SSA Form Logical Context Logical Formula SMT Solver Counterexample Property violation Property holds up to bound k Verification Successful

ESBMC Architecture QtOM is an additional extension for the Efficient SMT-based Context- Bounded Model Checker (ESBMC++) to add support for Qt/C++ programs verification. Adding assertions Qt Operational Model Extract/Identify structure/properties Scan C++ Parser Qt Documentation GOTO Converter Identify each language structure, such as method signatures and function prototypes; add assertions to check properties on each structure Symbolic Execution Logical Context SMT Solver Counterexample Qt/C++ Source Code Scan Verification Successful

ESBMC Architecture QtOM is an additional extension for the Efficient SMT-based Context- Bounded Model Checker (ESBMC++) to add support for Qt/C++ programs verification. Adding assertions Extract/Identify structure/properties Qt Documentation Processes the C++ file and builds an Abstract Syntax Tree (AST) Counterexample Qt Operational Model Scan C++ Parser IR Type Checked GOTO Converter Symbolic Execution Logical Context SMT Solver Qt/C++ Source Code Scan Verification Successful

ESBMC Architecture QtOM is an additional extension for the Efficient SMT-based Context- Bounded Model Checker (ESBMC++) to add support for Qt/C++ programs verification. Adding assertions Extract/Identify structure/properties Qt Documentation Converts a C++ program into a GOTO-Program (replacement of switch and while by if and goto expressions) Counterexample Qt Operational Model Scan C++ Parser IR Type Checked GOTO Converter GOTO Program Symbolic Execution Logical Context SMT Solver Qt/C++ Source Code Scan Verification Successful

ESBMC Architecture QtOM is an additional extension for the Efficient SMT-based Context- Bounded Model Checker (ESBMC++) to add support for Qt/C++ programs verification. Adding assertions Extract/Identify structure/properties Qt Documentation Converts GOTO-Program into a SSA Form Counterexample Qt Operational Model Scan C++ Parser IR Type Checked GOTO Converter GOTO Program Symbolic Execution SSA Form Logical Context SMT Solver Qt/C++ Source Code Scan Verification Successful

ESBMC Architecture QtOM is an additional extension for the Efficient SMT-based Context- Bounded Model Checker (ESBMC++) to add support for Qt/C++ programs verification. Adding assertions Extract/Identify structure/properties Qt Documentation Performs a symbolic execution of the program and generates SMT equations for constraints (C) and properties (P) Counterexample Qt Operational Model Scan C++ Parser IR Type Checked GOTO Converter GOTO Program Symbolic Execution SSA Form Logical Context Logical Formula SMT Solver Qt/C++ Source Code Scan Verification Successful

ESBMC Architecture QtOM is an additional extension for the Efficient SMT-based Context- Bounded Model Checker (ESBMC++) to add support for Qt/C++ programs verification. Adding assertions Qt Operational Model Qt/C++ Source Code Extract/Identify structure/properties Scan C++ Parser Scan Qt Documentation IR Type Checked GOTO Converter Evaluates the expression C P, using the specified solver (Z3, Boolector or Yices) GOTO Program Symbolic Execution SSA Form Logical Context Logical Formula SMT Solver Counterexample Property violation Property holds up to bound k Verification Successful

ESBMC Architecture QtOM is an additional extension for the Efficient SMT-based Context- Bounded Model Checker (ESBMC++) to add support for Qt/C++ programs verification. Adding assertions Qt Operational Model Qt/C++ Source Code Extract/Identify structure/properties Scan C++ Parser Scan Qt Documentation IR Type Checked GOTO Converter Is there a property violation? No. GOTO Program Symbolic Execution SSA Form Logical Context Logical Formula SMT Solver Counterexample Property violation Property holds up to bound k Verification Successful

ESBMC Architecture QtOM is an additional extension for the Efficient SMT-based Context- Bounded Model Checker (ESBMC++) to add support for Qt/C++ programs verification. Adding assertions Qt Operational Model Qt/C++ Source Code Extract/Identify structure/properties Scan C++ Parser Scan Qt Documentation IR Type Checked GOTO Converter Is there a property violation? Yes. GOTO Program Symbolic Execution SSA Form Logical Context Logical Formula The error present in source code is then described SMT Solver Counterexample Property violation Verification Successful Property holds up to bound k

ESBMC Features Through the integration of QtOM into ESBMC++,ESBMC is able to properly identify Qt/C++ programs and it provides support to the verification of six properties: 1. Invalid Memory Access: QtOM assertions ensure that only valid memory addresses are accessed 2. Time-period values: QtOM ensures that only valid time parameters are considered 3. Access to Missing Files: QtOM checks the access and manipulation of all handled files 4. Null Pointers: QtOM covers pointer manipulation, by ensuring that NULL pointers are not used in invalid operations 5. String Manipulation: QtOM checks pre- and postconditions to ensure correct string manipulation 6. Container usage: QtOM ensures the correct usage of containers, as well as their manipulation through specialized methods

Qt Operational Model (QtOM) Development process of the operational model QtGUI QtCore Qt Documentation class Q_CORE_EXPORT QFile : public QFileDevice {... QString filename() const; void setfilename(const QString &name);... };

Qt Operational Model (QtOM) Development process of the operational model. - Identify each property to be verified and transcript them into assertions QtGUI QtCore Qt Documentation Extract/Identify structure/properties class Q_CORE_EXPORT QFile : public QFileDevice {... QString filename() const; void setfilename(const QString &name);... };

Qt Operational Model (QtOM) Development process of the operational model. - Qt Operational Model is an abstract representation, which is used to identify elements and verify specific properties related to such structures QtGUI QtCore Qt Documentation Extract/Identify structure/properties QtGUI O. M. QtCore O. M. Qt Operational Model class Q_CORE_EXPORT QFile : public QFileDevice {... QString filename() const; void setfilename(const QString &name);... };

Qt Operational Model (QtOM) Development process of the operational model. - Qt Operational Model is an abstract representation, which is used to identify elements and verify specific properties related to such structures. QtGUI QtCore Qt Documentation class Q_CORE_EXPORT QFile : public QFileDevice {... QString filename() const; void setfilename(const QString &name);... }; Extract/Identify structure/properties QtGUI O. M. QtCore O. M. Qt Operational Model class QFile {... void setfilename(const QString & name){ ESBMC_assert(!name.isEmpty(), "The string must not be empty"); ESBMC_assert(!this->isOpen(), "The file must be closed"); }... };

Qt Operational Model (QtOM) Development process of the operational model. - Qt Operational Model is an abstract representation, which is used to identify elements and verify specific properties related to such structures. QtGUI QtCore Qt Documentation class Q_CORE_EXPORT QFile : public QFileDevice {... QString filename() const; void setfilename(const QString &name);... }; Extract/Identify structure/properties Assertions additions are of paramount importance, given that they ultimately allow formal property verification QtGUI O. M. QtCore O. M. Qt Operational Model class QFile {... void setfilename(const QString & name){ ESBMC_assert(!name.isEmpty(), "The string must not be empty"); ESBMC_assert(!this->isOpen(), "The file must be closed"); }... };

Running Example Function from a real-world Qt-based application called GeoMessage - Function responsible for loading initial settings of the application from a file QString loadsimulationfile( const QString &filename ) { m_inputfile.setfilename( filename ); // Check file for at least one message if (!doinitialread() ) { return Qstring( m_inputfile.filename() + is an empty message file ); } else { return NULL; } } Source Code

Running Example Function from a real-world Qt-based application called GeoMessage - Function responsible for loading initial settings of the application from a file QString loadsimulationfile( const QString &filename ) { m_inputfile.setfilename( filename ); // Check file for at least one message if (!doinitialread() ) { return Qstring( m_inputfile.filename() + is an empty message file ); } else { return NULL; } } Source Code Sets the file name

Running Example Operational model of the QFile class - Such class contain the representation of the setfilename method class QFile{... QFile(const QString& name) {... }... void setfilename( const QString& name){ ESBMC_assert(!(name.isEmpty()), "The string must not be empty"); ESBMC_assert(!(this >isopen()), "The file must be closed"); }... }; Operational Model Assertions to handle two properties verification. One checks whether the name is not an empty string and another checks if the file is closed

Running Example ESBMC is invoked as: - The verification process is completely automatic Executing ESBMC++ esbmc <file>.cpp unwind <k> I <path_to_qtom> I <path_to_c++_om>

Running Example ESBMC is invoked as: - The verification process is completely automatic Source code to be verified, which in this case is GeoMessage s function esbmc <file>.cpp unwind <k> I <path_to_qtom> I <path_to_c++_om>

Running Example ESBMC is invoked as: - The verification process is completely automatic Setting up the bound, which in this case we consider as 10 esbmc <file>.cpp unwind <k> I <path_to_qtom> I <path_to_c++_om>

Running Example ESBMC is invoked as: - The verification process is completely automatic Linking the operational models QtOM and COM for the Qt framework and C++ language, respectively. esbmc <file>.cpp unwind <k> I <path_to_qtom> I <path_to_c++_om>

Running Example Even assuming that a non-empty string is passed to the function, the model checker reports a bug in the source code QString loadsimulationfile( const QString &filename ) { m_inputfile.setfilename( filename ); There is nothing to ensure that the file was not open previously // Check file for at least one message if (!doinitialread() ) { return Qstring( m_inputfile.filename() + is an empty message file ); } else { return NULL; } } Source Code

Running Example After the modification mentioned below, the verification process returns a successful result QString loadsimulationfile( const QString &filename ) { if ( m_inputfile.isopen() ) m_inputfile.close(); m_inputfile.setfilename( filename ); We propose the addition of a conditional structure to ensure the file is closed before setting its name // Check file for at least one message if (!doinitialread() ) { return Qstring( m_inputfile.filename() + is an empty message file ); } else { return NULL; } } Source Code

Qt-based Applications Locomaps Application A Qt cross-platform sample application, which demonstrates satellite, terrain, street maps, tiled map service planning, and Qt Geo GPS Integration, among other features. Application description: - 2 classes - 115 Qt/C++ source lines of code - 5 different APIs from Qt framework are used Experimental Setup - ESBMC++ v1.25.4 - Intel Core i7-2600 computer with 3.40GHz clock and 24GB of RAM

Qt-based Applications GeoMessage Application A real-world Qt application - It receives XML files as input and generates, in different frequencies, User Datagram Protocol (UDP) broadcast datagrams, as an output to ArcGIS s applications and system components. Application description: - 4 classes - 1209 Qt/C++ source lines of code - 20 different APIs from Qt framework are used * Among them are QMutex and QMutexLocker, which are related to the Qt Threading module Experimental Setup - ESBMC++ v1.25.4 - Intel Core i7-2600 computer with 3.40GHz clock and 24 GB of RAM

Experimental Results Verification Results Properties checked: - Array-bound violations - Under- and overflow arithmetic - Division by zero - Pointer safety - Containers usage - String manipulation - Access to missing files The tool is able to fully identify the verified source code, using 5 different QtOM modules for Locomaps and 20 for GeoMessage.

Experimental Results Verification Results The verification process was automatic and approximately 6.7 seconds for Locomaps and 16 seconds for GeoMessage. All the process generated 32 verification conditions(vcs) for Locomaps and 6421 VCs for GeoMessage, on a standard PC desktop. ESBMC is able to find a similar bugs in both applications.

Experimental Results In that particular case, if the argv parameter is not correctly initialized, then the constructor called by object app does not execute properly and the application crashes int main(int argc, char argv[]){ QApplication app(argc, argv); return app.exec(); } Source Code There is nothing to ensure that the parameters are valid

Conclusions ESBMC was presented as an SMT-based BMC tool, which employs an operational model (QtOM) to verify Qt-based applications. The performed experiments involved two Qt/C++ applications, which were successfully verified, in the context of consumer electronics devices. To the best of our knowledge, there is no other approach, employing BMC, that is able to verify Qt-based applications. Future Work QtOM will be extended to support more modules, with the goal of increasing the Qt framework coverage. Conformance testing procedures will be developed for validating QtOM. All benchmarks, OMs, tools, and experimental results are available at http://esbmc.org/qtom

Demonstration

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback