Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.

Slides:

Advertisements

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

Advertisements

Static Analysis for Security

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

A Survey of Runtime Verification Jonathan Amir 2004.

Delta Debugging and Model Checkers for fault localization

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, – ) Hao Zheng U of South Florida.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

1 Static Testing: defect prevention SIM objectives Able to list various type of structured group examinations (manual checking) Able to statically.

Categories of Aspects Shmuel Katz Computer Science Department The Technion Haifa, Israel.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.

Overview of program analysis Mooly Sagiv html://

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

Path Slicing Presentation by Massimiliano Menarini Ranjit Jhala and Rupak Majumdar, “Path Slicing” PLDI 05 (June 2005, Chicago, Illinois)

Combining Temporal Logic Path Planning with Sampling based Path Planning Hadas Kress-Gazit.

Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

By D. Beyer et. al. Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor.

Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.

CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.

Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

Finite-State Verification. A quick look at three approaches to FSV Model Checking Flow Equations Data Flow Analysis FLAVERS.

PINCETTE project: Validation of changes and upgrades in large software systems Unique challenges and suggested solutions Hana Chockler.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.

CS6133 Software Specification and Verification

Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.

Carnegie Mellon University 10/23/2015 Survivability Analysis via Model Checking Oleg Sheyner Jeannette Wing Carnegie Mellon University.

Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.

1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.

Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.

Formal Verification of Synchronization Issues of SpecC Description with Automatic Abstraction Thanyapat Sakunkonchak Masahiro Fujita Department of Electronics.

Verification & Validation By: Amir Masoud Gharehbaghi

Properties Incompleteness Evaluation by Functional Verification IEEE TRANSACTIONS ON COMPUTERS, VOL. 56, NO. 4, APRIL

SAT-Based Model Checking Without Unrolling Aaron R. Bradley.

Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.

Automated Formal Verification of PLC (Programmable Logic Controller) Programs

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.

Finding Security Vulnerabilities in a Network Protocol Using Formal Verification Methods Orna Grumberg Technion, Israel Joint work with Adi Sosnovich and.

Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.

Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.

Verification of Data-Dependent Properties of MPI-Based Parallel Scientific Software Anastasia Mironova.

Improving the quality of PLC programs

Formal Methods: Model Checkers and Theorem Provers

State your reasons or how to keep proofs while optimizing code

CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet

Wei Le and Mary Lou Soffa University of Virginia

Aspect Validation: Connecting Aspects and Formal Methods

CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet

Formal Methods in software development

Translating Linear Temporal Logic into Büchi Automata

MOPS: an Infrastructure for Examining Security Properties of Software

SOFTWARE ENGINEERING INSTITUTE

Presentation transcript:

Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China

Outline 1 Introduction 2 EMOPS overview 3 Some improvements taken in EMOPS 4 Experimental results 5 Conclusion and future work

Introduction  Model checking is an automatic technique for verifying finite-state systems. It exhaustively checks a finite-state model of a system for violation of safety property formally specified as a formula in some temporal logic, an automaton, or a collection of assertions. The checked system Safety property Finite-state model Safety model Model checker Results

Introduction  Existing model checkers either cannot be applied to large- scale systems because of state explosion or trade precision for scalability like MOPS. To overcome these problems, we have developed an extended tool based on MOPS, called EMOPS, to greatly increase MOPS’ precision and maintain its scalability.

EMOPS overview Dataflow analysis Counterexample path verification Model checker Contributions: 1.Combination of control flow and dataflow information. 2.Extend the model checking algorithm 3.Counterexample path verification

Some improvements taken in EMOPS Dataflow analysis Program slice under the guide of the security model Rules for program slice Purpose of program slice Get safety-relevant functions and reduce the cost of dataflow analysis

Dataflow analysis Demand-driven dataflow analysis Rules for dataflow analysis Purpose The demand-driven alias analysis is done on the safety-relevant functions in bottom- up order to further reduce the cost of dataflow analysis. Some improvements taken in EMOPS

Dataflow analysis 1.Construct call graph 2.For each leaf node nd Demand-Driven Alias Analysis (nd) 3.For each node nd in the loop Fix Point Computation (nd) Algorithm for dataflow analysis Some improvements taken in EMOPS

Model checker Extended rules for PDA For an edge in the program’s CFG that is from a program point p1 to p2 with a statement i: （ 1 ） If i is not a function call → （ 2 ） If i is a call to a function f → （ 3 ） If i is a return statement from a function f → Extended algorithm for model checker Some improvements taken in EMOPS

Counterexample path verification To improve precision of model checking results and reduce false positives Purpose we employ the model checker BLAST to verify the path’s feasibility The way for path verification （ 1 ） Path instrumentation （ 2 ） Path verification by BLAST Steps of path verification Some improvements taken in EMOPS

Experimental results  Experimental results of EMOPS and MOPS VulnerabilityApplicationMOPSEMOPS Real/Total CE-paths Path filter Double Free cvs NOYES1(2)1 krb YES 1(1)0 Memory Leak squid-2.4.STABLE3NOYES1(4)2 wget NOYES1(9)6 which-2.16NOYES1(5)2 Buffer Overflow gzip-1.2.4NOYES1(1)0 ncompress-4.2.4NOYES1(1)0 sendmail-8.7.5NOYES1(2)1 wu-ftpd beta-18-vr8NOYES1(3)2

Experimental results  Results of program slice ApplicationBefore program sliceAfter program sliceCompaction rate cvs % krb % squid-2.4.STABLE % wget which % gzip % ncompress % sendmail % wu-ftpd beta-18-vr %

Experimental results  Comparison between alias analysis based on points- to sets and demand-driven method and their cost (ms) ApplicationTraditional dataflow analysis (ms)Demand-driven dataflow analysis (ms)Improvement rate cvs % krb % squid-2.4.STABLE % wget % which % gzip % ncompress % sendmail % wu-ftpd beta-18-vr %

Conclusion and future work (1) combination of control flow and dataflow information (2) path verification  we describe a tool EMOPS which improves MOPS’s performance from two aspects: In EMOPS, as most of program analysis tools, the safety model for the temporal safety property has to be constructed manually. In our future work, we will try to make this process automatic through mining techniques to automatically get specification about the temporal safety property from source code.  Future work