Presentation is loading. Please wait.

Presentation is loading. Please wait.

Johannes Kepler University Linz, Austria 2008 Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Johannes Kepler University Linz, Austria 2008 Leonardo de Moura and Nikolaj Bjørner Microsoft Research."— Presentation transcript:

1 Johannes Kepler University Linz, Austria 2008 Leonardo de Moura and Nikolaj Bjørner Microsoft Research

2 Industry tools rely on powerful verification engines. Boolean satisfiability (SAT) solvers. Binary decision diagrams (BDDs). Satisfiability Modulo Theories (SMT) The next generation of verification engines. SAT solver + Theories Some problems are more naturally expressed in SMT. More automation. SMT @ Microsoft

3 ArithmeticArithmetic Array Theory Uninterpreted Functions

4 SMT-Solvers: Argo-Lib, Ario, Barcelogic, CVC, CVC Lite, CVC3, ExtSAT, Fx7, Fx8, Harvey, HTP, ICS, Jat, MathSAT, Sateen, Simplify, Spear, STeP, STP, SVC, TSAT, TSAT++, UCLID, Yices, Zap, Z3 (Microsoft) SMT-LIB: library of benchmarks. http://www.smtlib.org SMT-Comp: annual SMT-Solver competition. http://www.smtcomp.org SMT @ Microsoft

5 Test-case generation. Pex, Yogi, Vigilante, Sage Verifying compiler. Spec#, VCC, Havoc ESC/Java Model Checking & Predicate Abstraction. SLAM/SDV, Yogi Bounded Model Checking (BMC) & k-induction Planning & Scheduling Equivalence Checking. SMT @ Microsoft

6 Z3 is a new SMT solver developed at Microsoft. Version 0.1 competed in SMT-COMP’07. Version 1.2 is the latest release. Free for academic research. It is used in several program analysis, verification, test- case generation projects at Microsoft. http://research.microsoft.com/projects/z3 SMT @ Microsoft

7 Linear real and integer arithmetic. Fixed-size bit-vectors Uninterpreted functions Extensional arrays Quantifiers Model generation Several input formats (Simplify, SMT-LIB, Z3, Dimacs) Extensive API (C/C++,.Net, OCaml) SMT @ Microsoft

8 Theories Core Theory SAT solver Rewriting Simplification Bit-Vectors Arithmetic Partial orders Tuples E-matching Arrays OCaml Text.NET C C

9 Model-based Theory Combination How to efficiently combine theory solvers? Use models to control Theory Combination. E-matching abstract machine Term indexing data-structures for incremental matching modulo equalities. Relevancy propagation Use Tableau advantages with DPLL engine SMT @ Microsoft

10

11 Test (correctness + usability) is 95% of the deal: Dev/Test is 1-1 in products. Developers are responsible for unit tests. Tools: Annotations and static analysis (SAL, ESP) File Fuzzing Unit test case generation: program analysis tools, automated theorem proving. SMT @ Microsoft

12 Security bugs can be very expensive: Cost of each MS Security Bulletin: $600K to $Millions. Cost due to worms (Slammer, CodeRed, etc.): $Billions. The real victim is the customer. Most security exploits are initiated via files or packets: Ex: Internet Explorer parses dozens of files formats. Security testing: hunting for million-dollar bugs Write A/V (always exploitable), Read A/V (sometimes exploitable), NULL-pointer dereference, Division-by-zero (harder to exploit but still DOS attack),... SMT @ Microsoft

13 Two main techniques used by “black hats”: Code inspection (of binaries). Black box fuzz testing. Black box fuzz testing: A form of black box random testing. Randomly fuzz (=modify) a well formed input. Grammar-based fuzzing: rules to encode how to fuzz. Heavily used in security testing At MS: several internal tools. Conceptually simple yet effective in practice SMT @ Microsoft

14 Execution Path Run Test and Monitor Path Condition Unexplored path Solve seed New input Test Inputs Nikolai Tillmann, Peli de Halleux, Patrice Godefroid Aditya Nori, Jean Philippe Martin, Miguel Castro, Manuel Costa, Lintao Zhang Constraint System Known Paths Vigilante

15 SMT @ Microsoft error(); z > x-y Return z Input x, y z := x + y z > x-y Return z Input x, y z := x + y error(); z > x-y Input x, y z := x + y Solve: z = x + y  z > x - ySolve: z = x + y  z  x - y x = 1, y = 2 x = -2, y = -3

16 Formulas may be a big conjunction Pre-processing step Eliminate variables and simplify input format Incremental: solve several similar formulas New constraints are asserted. push and pop: (user) backtracking Lemma reuse SMT @ Microsoft

17 “Small Models” Given a formula F, find a model M, that minimizes the value of the variables x 0 … x n Eager (cheap) Solution: Assert C. While satisfiable Peek x i such that M[x i ] is big Assert x i < c, where c is a small constant Return last found model True Arithmetic × Machine Arithmetic SMT @ Microsoft

18 A verifying compiler uses automated reasoning to check the correctness of a program that is compiles. Correctness is specified by types, assertions,... and other redundant annotations that accompany the program. Tony Hoare 2004

19 SMT @ Microsoft VCC Boogie Hyper-V Rustan Leino, Mike Barnet, Michal Mosƙal, Shaz Qadeer, Shuvendu Lahiri, Herman Venter, Peter Muller, Wolfram Schulte, Ernie Cohen Verification condition Bug path HAVOC

20 Source Language C# + goodies = Spec# Specifications method contracts, invariants, field and type annotations. Program Logic: Dijkstra’s weakest preconditions. Automatic Verification type checking, verification condition generation (VCG), automatic theorem proving (SMT) SMT @ Microsoft Spec# (annotated C#) Boogie PL Spec# Compiler VC Generator Formulas Automatic Theorem Prover

21 Spec# (annotated C#) ⇒ Boogie PL ⇒ Formulas Example: class C { private int a, z; invariant z > 0; public void M() requires a != 0; { z = 100/a; } } Weakest preconditions: wp(S; T,Q) = wp(S, wp(T,Q)) wp(assert C,Q) = C ∧ Q SMT @ Microsoft

22 Meta OS: small layer of software between hardware and OS. Mini: 60K lines of non-trivial concurrent systems C code. Critical: simulates a number of virtual x64 machines Trusted: a grand verification challenge. SMT @ Microsoft Hardware Hypervisor

23 VCC translates an annotated C program into a Boogie PL program. Boogie generates verification conditions: Z3 (automatic) Isabelle (interactive) A C-ish memory model Abstract heaps Bit-level precision The verification project has very recently started. It is a multi-man multi-year effort. SMT @ Microsoft

24 A tool for specifying and checking properties of systems software written in C. It also translates annotated C into Boogie PL. It allows the expression of richer properties about the program heap and data structures such as linked lists and arrays. HAVOC is being used to specify and check: Complex locking protocols over heap-allocated data structures in Windows. Properties of collections such as IRP queues in device drivers. Correctness properties of custom storage allocators. SMT @ Microsoft

25 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms (“what didn’t change”) Users provided assertions (e.g., the array is sorted) Prototyping decision procedures (e.g., reachability, heaps, …) Solver must be fast in satisfiable instances. Trade-off between precision and performance. Candidate (Potential) Models SMT @ Microsoft

26 Semantically, ∀ x 1, …, x n.F is equivalent to the infinite conjunction  1 (F)   2 (F)  … Solvers use heuristics to select from this infinite conjunction those instances that are “relevant”. The key idea is to treat an instance (F) as relevant whenever it contains enough terms that are represented in the solver state. Non ground terms p from F are selected as patterns. E-matching (matching modulo equalities) is used to find instances of the patterns. Example: f(a, b) matches the pattern f(g(x), x) if a = g(b). SMT @ Microsoft

27 E-matching is NP-Hard The number of matches can be exponential. It is not refutationally complete. In practice: Indexing techniques for fast retrieval. Incremental E-matching. SMT @ Microsoft

28 ∀ x.f(g(x)) = x Pattern: f(g(x)) Atoms: a = g(b), b = c, f(a) ≠ c Instantiate f(g(b)) = b SMT @ Microsoft

29 Z3 uses a E-matching abstract machine. Patterns → code sequence. Abstract machine executes the code. Z3 uses new algorithms that identify matches on E- graphs incrementally and efficiently. E-matching code trees. Inverted path index. Z3 garbage collects clauses, together with their atoms and terms, that were useless in closing branches. SMT @ Microsoft

30 Ella Bounimova, Vlad Levin, Jakob Lichtenberg, Tom Ball, Sriram Rajamani, Byron Cook

31 http://research.microsoft.com/slam/ SLAM/SDV is a software model checker. Application domain: device drivers. Architecture: c2bp C program → boolean program (predicate abstraction). bebop Model checker for boolean programs. newton Model refinement (check for path feasibility) SMT solvers are used to perform predicate abstraction and to check path feasibility. c2bp makes several calls to the SMT solver. The formulas are relatively small. SMT @ Microsoft

32 Given a C program P and F = {p 1, …, p n }. Produce a Boolean program B(P, F) Same control flow structure as P. Boolean variables {b 1, …, b n } to match {p 1, …, p n }. Properties true in B(P, F) are true in P. Each p i is a pure Boolean expression. Each p i represents set of states for which p i is true. Performs modular abstraction. SMT @ Microsoft

33 Implies F (e) Best Boolean function over F that implies e. ImpliedBy F (e) Best Boolean function over F that is implied by e. ImpliedBy F (e) = not Implies F (not e) SMT @ Microsoft

34 minterm m = l 1 ∧... ∧ l n, where l i = p i, or l i = not p i. Implies F (e): disjunction of all minterms that imply e. Naive approach Generate all 2 n possible minterms. For each minterm m, use SMT solver to check validity of m ⇒ e. Many possible optimizations SMT @ Microsoft

35 Given an error path p in the Boolean program B. Is p a feasible path of the corresponding C program? Yes: found a bug. No: find predicates that explain the infeasibility. Execute path symbolically. Check conditions for inconsistency using SMT solver. SMT @ Microsoft

36 Z3 is part of SDV 2.0 (Windows 7) All-SAT Fast Predicate Abstraction Unsatisfiable cores: Why the path is not feasible?

37

38 Bounded model-checking of model programs Termination Security protocols Business application modeling Cryptography Model Based Testing (SQL-Server) Your killer-application here SMT @ Microsoft

39 Coming soon (Z3 2.0): Proofs & Unsat cores Superposition Calculus Decidable Fragments Machine Learning Non linear arithmetic (Gröbner Bases) Inductive Datatypes Improved Array & Bit-vector theories Several performance improvements More “customers” & Applications SMT @ Microsoft

40 Formal verification is hot at Microsoft. Z3 is a new SMT solver from Microsoft Research. Z3 is used in several projects. Z3 is freely available for academic research: http://research.microsoft.com/projects/z3 SMT @ Microsoft

41 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Your SMT problem. Our joy.

Download ppt "Johannes Kepler University Linz, Austria 2008 Leonardo de Moura and Nikolaj Bjørner Microsoft Research."

Similar presentations

Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.

Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.
Satisfiability Modulo Theories and Network Verification Nikolaj Bjørner Microsoft Research Formal Methods and Networks Summer School Ithaca, June 10-14.

Satisfiability Modulo Theories and Network Verification Nikolaj Bjørner Microsoft Research Formal Methods and Networks Summer School Ithaca, June
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
50.530: Software Engineering

50.530: Software Engineering
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Regression-Verification Benny Godlin Ofer Strichman Technion.

1 Regression-Verification Benny Godlin Ofer Strichman Technion.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.
Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA Invited talk Informatics Education in Europe (IEE III’08)

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA Invited talk Informatics Education in Europe (IEE III’08)
MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

Similar presentations

Ads by Google