Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAT & SMT. Software Verification & Testing SAT & SMT Test case generation Predicate Abstraction Verifying Compilers.

Published byLily Carroll Modified over 9 years ago

Similar presentations

Presentation on theme: "SAT & SMT. Software Verification & Testing SAT & SMT Test case generation Predicate Abstraction Verifying Compilers."— Presentation transcript:

1 SAT & SMT

2 Software Verification & Testing SAT & SMT Test case generation Predicate Abstraction Verifying Compilers

3 Software Verification & Testing SATTheoriesSMT Arithmetic Bit-vectors Arrays …

4 Software Verification & Testing SMT Test case generation Predicate Abstraction Verifying Compilers

5 unsigned GCD(x, y) { requires(y > 0); while (true) { unsigned m = x % y; if (m == 0) return y; x = y; y = m; } Software Verification & Testing We want a trace where the loop is executed twice. (y 0 > 0) and (m 0 = x 0 % y 0 ) and not (m 0 = 0) and (x 1 = y 0 ) and (y 1 = m 0 ) and (m 1 = x 1 % y 1 ) and (m 1 = 0) model x 0 = 2 y 0 = 4 m 0 = 2 x 1 = 4 y 1 = 2 m 1 = 0 SSASSA SMTSolverSMTSolver

6 Software Verification & Testing Test (correctness + usability) is 95% of the deal: Dev/Test is 1-1 in products. Developers are responsible for unit tests. Tools: File Fuzzing Unit test case generation

7 Security is critical Software Verification & Testing Security bugs can be very expensive: Cost of each MS Security Bulletin: $600k to $Millions. Cost due to worms: $Billions. Most security exploits are initiated via files or packets. Ex: Internet Explorer parses dozens of file formats. Security testing: hunting for million dollar bugs Write A/V Read A/V Null pointer dereference Division by zero

8 Two main techniques used by “black hats”: Code inspection (of binaries). Black box fuzz testing. Black box fuzz testing: A form of black box random testing. Randomly fuzz (=modify) a well formed input. Grammar-based fuzzing: rules to encode how to fuzz. Heavily used in security testing At MS: several internal tools. Conceptually simple yet effective in practice Software Verification & Testing

9 Execution Path Run Test and Monitor Path Condition Solve seed New input Test Inputs Constraint System Known Paths SMTSolverSMTSolver

10 Software Verification & Testing Unit x Application Trade off between performance and precision Execution path mutation: existing execution path new path Concretization x = y * z  x = 128 (if y = 2 and z = 64 in the existing path)

11 PEX Implements DART for.NET. SAGE Implements DART for x86 binaries. YOGI Implements DART to check the feasibility of program paths generated statically using a SLAM-like tool. Vigilante Partially implements DART to dynamically generate worm filters. Software Verification & Testing

12 Test input generator Pex starts from parameterized unit tests Generated tests are emitted as traditional unit tests Visual Studio Plugin Software Verification & Testing

13

14 class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } }

15 class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } } Inputs

16 (0,null) class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } }

17 InputsObserved Constraints (0,null)!(c<0) class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } } c < 0  false

18 InputsObserved Constraints (0,null)!(c<0) && 0==c class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } } 0 == c  true

19 InputsObserved Constraints (0,null)!(c<0) && 0==c class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } } item == item  true This is a tautology, i.e. a constraint that is always true, regardless of the chosen values. We can ignore such constraints.

20 Constraints to solve InputsObserved Constraints (0,null)!(c<0) && 0==c !(c<0) && 0!=c class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } } SMTSolverSMTSolver

21 Constraints to solve InputsObserved Constraints (0,null)!(c<0) && 0==c !(c<0) && 0!=c(1,null) class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } } SMTSolverSMTSolver

22 Constraints to solve InputsObserved Constraints (0,null)!(c<0) && 0==c !(c<0) && 0!=c(1,null)!(c<0) && 0!=c class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } } 0 == c  false

23 Constraints to solve InputsObserved Constraints (0,null)!(c<0) && 0==c !(c<0) && 0!=c(1,null)!(c<0) && 0!=c c<0 class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } } SMTSolverSMTSolver

24 Constraints to solve InputsObserved Constraints (0,null)!(c<0) && 0==c !(c<0) && 0!=c(1,null)!(c<0) && 0!=c c<0(-1,null) class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } } SMTSolverSMTSolver

25 Constraints to solve InputsObserved Constraints (0,null)!(c<0) && 0==c !(c<0) && 0!=c(1,null)!(c<0) && 0!=c c<0(-1,null)c<0 class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } } c < 0  true

26 Constraints to solve InputsObserved Constraints (0,null)!(c<0) && 0==c !(c<0) && 0!=c(1,null)!(c<0) && 0!=c c<0(-1,null)c<0 class ArrayList { object[] items; int count; ArrayList(int capacity) { if (capacity < 0) throw...; items = new object[capacity]; } void Add(object item) { if (count == items.Length) ResizeArray(); items[this.count++] = item; }... class ArrayListTest { [PexMethod] void AddItem(int c, object item) { var list = new ArrayList(c); list.Add(item); Assert(list[0] == item); } }

27 Apply DART to large applications (not units). Start with well-formed input (not random). Combine with generational search (not DFS). Negate 1-by-1 each constraint in a path constraint. Generate many children for each parent run. Software Verification & Testing parent generation 1

28 SAGE is very effective at finding bugs Works on large applications Fully automated Easy to deploy (x86 analysis – any language) Used in various groups inside Microsoft Found > 100 security bugs in Windows 7 Gold medal in an internal file fuzzing competition Powered by SMT Software Verification & Testing

29 Trade off between precision and performance Scalability Machine arithmetic (aka Bitvectors) Floating point arithmetic. FP operations are: Concretized in SAGE Approximated using rational numbers in Pex Software Verification & Testing

30 SMT Test case generation Predicate Abstraction Verifying Compilers

31 SLAM/SDV is a software model checker. Application domain: device drivers. Architecture: c2bp C program → boolean program (predicate abstraction). bebop Model checker for boolean programs. newton Model refinement (check for path feasibility) SMT solvers are used to perform predicate abstraction and to check path feasibility. c2bp makes several calls to the SMT solver. The formulas are relatively small.

32 Given a C program P and F = {p 1, …, p n }. Produce a Boolean program B(P, F) Same control flow structure as P. Boolean variables {b 1, …, b n } to match {p 1, …, p n }. Properties true in B(P, F) are true in P. Each p i is a pure Boolean expression. Each p i represents set of states for which p i is true. Performs modular abstraction. Software Verification & Testing

33 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Do this code obey the looking rule?

34 do { KeAcquireSpinLock(); if(*){ KeReleaseSpinLock(); } } while (*); KeReleaseSpinLock(); Model checking Boolean program U U L L L L L L L L U U L L U U U U U U E E

35 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Is error path feasible? U U L L L L L L L L U U L L U U U U U U E E

36 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Add new predicate to Boolean program b: (nPacketsOld == nPackets) Add new predicate to Boolean program b: (nPacketsOld == nPackets) U U L L L L L L L L U U L L U U U U U U E E b = true; b = b ? false : *; !b

37 do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while (!b); KeReleaseSpinLock(); Model Checking Refined Program b: (nPacketsOld == nPackets) Model Checking Refined Program b: (nPacketsOld == nPackets) U U L L L L L L L L U U L L U U U U U U E E b b b b b b !b

38 do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while (!b); KeReleaseSpinLock(); Model Checking Refined Program b: (nPacketsOld == nPackets) Model Checking Refined Program b: (nPacketsOld == nPackets) U U L L L L L L L L U U L L U U U U b b b b b b !b

39 do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while (!b); KeReleaseSpinLock(); Model Checking Refined Program b: (nPacketsOld == nPackets) Model Checking Refined Program b: (nPacketsOld == nPackets) U U L L L L L L L L U U L L U U U U b b b b b b !b

40 Implies F (e) Best Boolean function over F that implies e. ImpliedBy F (e) Best Boolean function over F that is implied by e. ImpliedBy F (e) = not Implies F (not e) Software Verification & Testing

41 minterm m = l 1 ∧... ∧ l n, where l i = p i, or l i = not p i. Implies F (e): disjunction of all minterms that imply e. Naive approach Generate all 2 n possible minterms. For each minterm m, use SMT solver to check validity of m ⇒ e. Many possible optimizations Software Verification & Testing

42 F = { x < y, x = 2} e : y > 1 Minterms over F !x 1 x 1 !x 1 x 1 Implies F (y>1) = x<y  x=2 Implies F (y>1) = b 1  b 2 Software Verification & Testing

43 Given an error path p in the Boolean program B. Is p a feasible path of the corresponding C program? Yes: found a bug. No: find predicates that explain the infeasibility. Execute path symbolically. Check conditions for inconsistency using SMT Solver. Software Verification & Testing

44 All-SAT Better (more precise) Predicate Abstraction Unsatisfiable cores Why the abstract path is not feasible? Fast Predicate Abstraction Interpolants Software Verification & Testing

45 Let S be an unsatisfiable set of formulas. S’  S is an unsatisfiable core of S if: S’ is also unsatisfiable, and There is no S’’  S’ that is also unsatisfiable. Computing Implies F (e) with F = {p 1, p 2, p 3, p 4 } Assume p 1, p 2, p 3, p 4  e is valid That is p 1, p 2, p 3, p 4,  e is unsat Now assume p 1, p 3,  e is the unsatisfiable core Then it is unnecessary to check: p 1,  p 2, p 3, p 4  e p 1,  p 2, p 3,  p 4  e p 1, p 2, p 3,  p 4  e

46 Software Verification & Testing SMT Test case generation Predicate Abstraction Verifying Compilers

47 A verifying compiler uses automated reasoning to check the correctness of a program that is compiles. Correctness is specified by types, assertions,... and other redundant annotations that accompany the program. Tony Hoare 2004

48 Source Language C# + goodies = Spec# Specifications method contracts, invariants, field and type annotations. Program Logic: Dijkstra’s weakest preconditions. Automatic Verification type checking, verification condition generation (VCG), SMT Spec# (annotated C#) Boogie PL Spec# Compiler VC Generator Formulas SMT Solver

49 class C { private int a, z; invariant z > 0 public void M() requires a != 0 { z = 100/a; }

50 VCC translates an annotated C program into a Boogie PL program. A C-ish memory model Abstract heaps Bit-level precision Microsoft Hypervisor: verification grand challenge. Software Verification & Testing

51 Quantifiers, quantifiers, quantifiers, … Modeling the runtime  h,o,f: IsHeap(h)  o ≠ null  read(h, o, alloc) = t  read(h,o, f) = null  read(h, read(h,o,f),alloc) = t Software Verification & Testing

52 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms  o, f: o ≠ null  read(h 0, o, alloc) = t  read(h 1,o,f) = read(h 0,o,f)  (o,f)  M Software Verification & Testing

53 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms User provided assertions  i,j: i  j  read(a,i)  read(b,j) Software Verification & Testing

54 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms User provided assertions Theories  x: p(x,x)  x,y,z: p(x,y), p(y,z)  p(x,z)  x,y: p(x,y), p(y,x)  x = y Software Verification & Testing

55 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms User provided assertions Theories Solver must be fast in satisfiable instances. Software Verification & Testing We want to find bugs!

56 Undecidable “False positives” Very fragile Software Verification & Testing

57 E-matching Complete instantiation Decidable fragments Model checking Superposition Calculus Software Verification & Testing

58 SMT is hot at Microsoft (> 15 projects) Many applications Cryptography Scheduling Optimization Many challenges Thank You!

Download ppt "SAT & SMT. Software Verification & Testing SAT & SMT Test case generation Predicate Abstraction Verifying Compilers."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.

Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.
The Dafny program verifier

The Dafny program verifier
Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Verification of parameterised systems

Verification of parameterised systems
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Similar presentations

Ads by Google