Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Similar documents
Introduction to CBMC: Part 1

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Software Model Checking. Xiangyu Zhang

Bounded Model Checking Of C Programs: CBMC Tool Overview

Bounded Model Checking. Mooly Sagiv Slides from Arie Gurfinkel & Sagar Chaki, Daniel Jackson, Shahar Maoz

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Automatic Software Verification

Handling Loops in Bounded Model Checking of C Programs via k-induction

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Automated Test Generation using CBMC

Abstraction techniques for Floating-Point Arithmetic

: A Bounded Model Checking Tool to Verify Qt Applications

Model Checking Embedded C Software using k-induction and Invariants

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES

The Low-Level Bounded Model Checker LLBMC

Satisfiability Modulo Theories: ABsolver

Contents. Program 1. Java s Integral Types in PVS (p.4 of 37)

ANSI-C Bounded Model Checker User Manual

SAT-based Model Checking for C programs

More on Verification and Model Checking

On Reasoning about Finite Sets in Software Checking

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher

Proving Properties of non-array Programs

On the Generation of Test Cases for Embedded Software in Avionics or Overview of CESAR

CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak

Static program checking and verification

Ranking Functions for Loops with Disjunctive Exit-Conditions

QUIZ. 1. Explain the meaning of the angle brackets in the declaration of v below:

Program Verification. Aarti Gupta

CSC2108: Automated Verification Assignment 3. Due: November 14, classtime.

C Code Verification based on the Extended Labeled Transition System Model

A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software

Static Program Analysis Part 1 the TIP language

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

Array Initialization

F-Soft: Software Verification Platform

ECE264 Fall 2013 Exam 1, September 24, 2013

CSE 351: The Hardware/Software Interface. Section 2 Integer representations, two s complement, and bitwise operators

Software Model Checking. From Programs to Kripke Structures

Program Verification (6EC version only)

Constraint-Based Search Strategies For Bounded Program Verification. Michel RUEHER

CS 510/13. Predicate Abstraction

Model Checking and Its Applications

CMPSC 497: Static Analysis

Quantifying Information Leaks in Software

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017

Computer Components. Software{ User Programs. Operating System. Hardware

Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim

Analysis/Bug-finding/Verification for Security

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Static Analysis in C/C++ code with Polyspace

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Basic C Programming (2) Bin Li Assistant Professor Dept. of Electrical, Computer and Biomedical Engineering University of Rhode Island

Decision Procedures. An Algorithmic Point of View. Bit-Vectors. D. Kroening O. Strichman. Version 1.0, ETH/Technion

05-01 Discussion Notes

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems

Integrating a SAT Solver with Isabelle/HOL

Interpolation-based Software Verification with Wolverine

Programming in C. What is C?... What is C?

Programming in C UVic SEng 265

BITCOIN MINING IN A SAT FRAMEWORK

P.G.TRB - COMPUTER SCIENCE. c) data processing language d) none of the above

Dynamic memory allocation

Today s Learning Objectives

Verifying C & C++ with ESBMC

System LAV and Its Applications

An Eclipse Plug-in for Model Checking

High Performance Computing MPI and C-Language Seminars 2009

Deductive Methods, Bounded Model Checking

SMT-Based Bounded Model Checking for Embedded ANSI-C Software

DSVerifier: A Bounded Model Checking Tool for Digital Systems

C Bounded Model Checker

Outline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions

finding vulnerabilities

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

Decision Procedures in the Theory of Bit-Vectors

Short Notes of CS201

CPSC 3740 Programming Languages University of Lethbridge. Control Structures

Improving the Automatic Test Generation process for Coverage Analysis using CBMC

Symbolic and Concolic Execution of Programs

CUTE: A Concolic Unit Testing Engine for C

Verification and Test with Model-Based Design

CS201 - Introduction to Programming Glossary By

A Bounded Model Checker for SPARK Programs

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Programming in C. What is C?... What is C?

Lexical Considerations

Automatic Qualification of Abstract Interpretation-based Static Analysis Tools. Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

Computer Components. Software{ User Programs. Operating System. Hardware

Memory Allocation in C

CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Contents of Lecture 3

On Search Strategies for Constraint-Based Bounded Model Checking. Michel RUEHER

Transcription:

Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010

1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions

CBMC allows verifying: Array bounds (buffer overflows) Pointer safety User-specified assertions Exceptions

Complex language features, such as: Bit vector operators (shifting, and, or, operator= (const BitVector &RHS) void swap ) Pointers, pointer arithmetic (ptr++;) Dynamic memory allocation: malloc/free Dynamic data types: char s[n]

CBMC is search for a counterexample in traces whose length is bounded by some integer n. If no bug is found then the bound n is increased until either a bug is found, a bound ensuring correctness is reached. problem gets to big/takes to much time The BMC problem can be efficiently reduced to a propositional satisfiability problem, and can therefore be solved by standard SAT methods

More than eight years on the market Was used to find previously unknown bugs in MS Windows device drivers Known to scale to programs with over 30K LOC

Developed at CMU and Oxford by Daniel Kroening et al.

CBMC logic SAT Full Model

Transform the program into a control flow graph (CFG)

Idea: Follow paths through the CFG to an assertion, and build a formula that corresponds to the path

We pass to a SAT solver and obtain a satisfying assignment, say:

Z3(Microsoft) -is a high-performance theorem prover Yicer(SRI) Boolector

We do not want the program to Main Idea: Given a program and a claim use ark SAT-solver crash-what to find whether there exists an execution that violates the claim. SAT result do we want? Program Claim Analysis Engine CNF SAT Solver SAT (counterexample exists) UNSAT (no counterexample found)

Program Constraints De Morgan's laws int x; int y=8,z=0,w=0; if (x) z = y 1; else w = y + 1; assert (z == 7 w == 9) y = 8, z = x? y 1 : 0, w = x? 0 :y + 1, z!= 7, w!= 9 Looks for the opposite UNSAT no counterexample assertion always holds!

Program Constraints int x; int y=8,z=0,w=0; if (x) z = y 1; else w = y + 1; assert (z == 5 w == 9) y = 8, z = x? y 1 : 0, w = x? 0 :y + 1, z!= 5, w!= 9 SAT counterexample found! y = 8, x = 1, w = 0, z = 7

? Why Lets assume that : t=65

SAT Solver can only explore finite length executions! Loops must be bounded (i.e., the analysis is incomplete) Program Claim Analysis Engine CNF SAT Solver Bound (n) SAT (counterexample exists) UNSAT (no counterexample of bound n is found)

CBMC ANSI C Model checker We have CBMC which transforms code into satisfying assignments SAT solves the satisfying assignments

For help cbmc help To see the list of claims cbmc --show-claims - To check a single claim cbmc --unwind n --claim x cbmc file1.c --show-claims --bounds-check --pointer-check

Like a compiler, CBMC takes the names of.c files as command line arguments. Like a linker CBMC then translates the program and merges the function definitions from the various.c files, just like a linker. But instead of producing a binary for execution, CBMC performs symbolic simulation on the program.

Yes, though this program is faulty, as the argv array might have only one element, and then the array access argv[2] is out of bounds. Now, run CBMC as follows: int puts(const char *s) { int main(int argc, char **argv) { int i; if(argc>=1) puts(argv[2]); Will it pass compilation?

cbmc file1.c --show-claims --boundscheck --pointer-check The two options instruct CBMC to look for errors related to pointers and array bounds --bounds-check --pointer-check cbmc file1.c --show-claims --bounds-check -- pointer-check

1. CBMC prints the list of properties it checks. 2. It largely determines the property it needs to check itself Whether one of these claims corresponds to a bug needs to be determined by further analysis=> One option for this analysis is symbolic simulation, which corresponds to a translation of the program into a formula. cbmc file1.c --show-vcc --bounds-check -- pointer-check

verification conditions A verification condition needs to be proven to be valid by a SAT solver in order to assert that the corresponding property holds. cbmc file1.c --bounds-check --pointer-check

int puts(const char *s) { int main(int argc, char **argv) { int i; if(argc>=1) puts(argv[2]); How can we fix the problem? int puts(const char *s) { int main(int argc, char **argv) { int i; if(argc>=2) puts(argv[2]);

CBMC is aimed at embedded software, and these kinds of programs usually have different entry points(does not need main function). Furthermore, CBMC is also useful for verifying program modules. int array[10]; cbmc file2.c --function sum int sum() { unsigned i, sum; sum=0; for(i=0; i<10; i++) sum+=array[i];

CBMC transforms the equation into CNF and passes it to a SAT solver CBMC can now detect that the equation is actually not valid, and thus, there is a bug in the program. It prints a counterexample trace

Tool Compiling/Run time Used in custom izable Testing on the Market Completeness Soundness mainly used for Language s JML Static checkers (ESC/Java2)/also Runtime checker By Nasa Highly 1997 No-false positive No- false negative java Blast Static instrumentation (Compile time) windows drivers No indentify each importan t executio n path 2002 Only If the verification succeeds a formal proof is created. No-false alarms c CBMC SSA windows drivers No Yes 2003 No- Only reports conterexamples Yes c/c++

Transform a programs into a set of equations Simplify control flow Unwind all of the loops Convert into Single Static Assignment (SSA) Convert into equations Solve with a SAT Solver

All side effect are removed e.g., j=i++ becomes j=i;i=i+1 Control Flow is made explicit continue, break replaced by goto All loops are simplified into one form for, do while replaced by while

All loops are unwound to check whether unwinding is sufficient special unwinding assertion claims are added If a program satisfies all of its claims and all unwinding assertions then it is correct! Same for backward goto jumps and recursive functions

void f(...) {... while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto

void f(...) {... if(cond) { Body; while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto

void f(...) {... if(cond) { Body; if(cond) { Body; while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto

void f(...) {... if(cond) { Body; if(cond) { Body; if(cond) { Body; while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits

void f(...) {... if(cond) { Body; if(cond) { Body; if(cond) { Body; assert(!cond); Remainder; Unwinding assertion while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits Positive correctness result! It is called High level worst case execution time (WCET), which is very appropriate for embedded software.

void f(...) { j = 1 while (j <= 2) j = j + 1; Remainder; void f(...) { j = 1 if(j <= 2) { j = j + 1; if(j <= 2) { j = j + 1; if(j <= 2) { j = j + 1; assert(!(j <= 2)); Remainder; unwind = 3

void f(...) { j = 1 while (j <= 10) j = j + 1; Remainder; unwind = 3 void f(...) { j = 1 if(j <= 10) { j = j + 1; if(j <= 10) { j = j + 1; if(j <= 10) { j = j + 1; assert(!(j <= 10)); Remainder;

Easy to transform when every variable is only assigned once! SSA Program x = a; y = x + 1; z = y 1; No ambiguity Constraints x = a && y = x + 1 && z = y 1 &&

When a variable is assigned multiple times, use a new variable for the RHS of each assignment Program SSA Program

Program SSA Program if (v) x = y; else x = z; w = x; if (v 0 ) x 0 = y 0 ; else x 1 = z 0 ; w 1 = x??; What should x be?

Program SSA Program if (v) x = y; else x = z; w = x; if (v 0 ) x 0 = y 0; else x 1 = z 0; x 2 = v 0? x 0 : x 1 ; w 1 = x 2 For each join point, add new variables with selectors

Developed in CMU and used for Windows CBMC +SAT=Full Model Running CBMC Compared to JML, BLAST How does it work- From code to formula

Thank you Meet at the computer lab

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback