Software Model Checking Research Papers (original) (raw)

Resumen En este artículo describimos una herramienta puramente fun-cional para la verificación simbólica de sistemas, la cual utiliza la técnica llamada model checking (o verificación de modelos) para determinar la verdad de propiedades... more

Resumen En este artículo describimos una herramienta puramente fun-cional para la verificación simbólica de sistemas, la cual utiliza la técnica llamada model checking (o verificación de modelos) para determinar la verdad de propiedades lógicas sobre descripciones de sistemas. Nuestro principal objetivo es utilizar esta herramienta para la resolución de acerti-jos lógicos, a la vez que también se permite la verificación de propiedades complejas sobre sistemas de computación. La herramienta desarrollada es puramente funcional ya que utiliza librerías de Diagramas Binarios de Decisión implementados integramente en Haskell.

Although recent estimates are speaking of 200,000 different viruses, worms, and Trojan horses, the majority of them are variants of previously existing malware. As these variants mostly differ in their binary representation rather than... more

Although recent estimates are speaking of 200,000 different viruses, worms, and Trojan horses, the majority of them are variants of previously existing malware. As these variants mostly differ in their binary representation rather than their functionality, they can be recognized by analyzing the program behavior, even though they are not covered by the signature databases of current antivirus tools. Proactive malware detectors mitigate this risk by detection procedures that use a single signature to detect whole classes of functionally related malware without signature updates. It is evident that the quality of proactive detection procedures depends on their ability to analyze the semantics of the binary. In this paper, we propose the use of model checking-a well-established software verification technique-for proactive malware detection. We describe a tool that extracts an annotated control flow graph from the binary and automatically verifies it against a formal malware specificat...

Partial order reduction is a very succesful technique for avoidingthe state explosion problem that is inherent to explicit state modelchecking of asynchronous concurrent systems. It exploits the commutativityof concurrently executed... more

Partial order reduction is a very succesful technique for avoidingthe state explosion problem that is inherent to explicit state modelchecking of asynchronous concurrent systems. It exploits the commutativityof concurrently executed transitions in interleaved system runsin order to reduce the size of the explored state space. Directed modelchecking on the other hand addresses the state explosion problem byusing guided search techniques

Page 1. Efficient Predicate Abstraction Using Parallel Assignments for Software Verification Systems Murray Stokely Wadham College University of Oxford A thesis submitted for the degree of Master of Science Summer 2005 Page 2. Abstract... more

Page 1. Efficient Predicate Abstraction Using Parallel Assignments for Software Verification Systems Murray Stokely Wadham College University of Oxford A thesis submitted for the degree of Master of Science Summer 2005 Page 2. Abstract This thesis shows how formal software verification systems can be improved by utilising parallel assignment in weakest precondition computations. We begin with an introduction to modern software verification systems.

The paper presents a novel technique to create implementations of the basic primitives used in symbolic program analysis: forward symbolic evaluation, weakest liberal precondition, and symbolic composition. We used the technique to create... more

The paper presents a novel technique to create implementations of the basic primitives used in symbolic program analysis: forward symbolic evaluation, weakest liberal precondition, and symbolic composition. We used the technique to create a system in which, for the cost of writing just one specification—an interpreter for the programming language of interest—one obtains automatically-generated, mutually-consistent implementations of all three symbolic-analysis primitives. This can be carried out even for languages with pointers and address arithmetic. Our implementation has been used to generate symbolic-analysis primitives for x86 and PowerPC.

The use of assertions to express correctness properties of programs is growing in practice. Assertions provide a form of lightweight checkable specification that can be very effective in finding defects in programs and in guiding... more

The use of assertions to express correctness properties of programs is growing in practice. Assertions provide a form of lightweight checkable specification that can be very effective in finding defects in programs and in guiding developers to the cause of a problem. A wide variety of assertion languages and associated validation techniques have been developed, but run-time monitoring is commonly thought to be the only practical solution. In this paper, we describe how specifications written in the Java Modeling Language (JML), a general purpose behavioral specification and assertional language for Java, can be validated using a customized model checker built on top of the Bogor model checking framework. Our experience illustrates the need for customized state-space representations and reduction strategies in model checking frameworks in order to effectively check the kind of strong behavioral specifications that can be written in JML. We discuss the advantages and tradeoffs of model checking relative to other specification validation techniques and present data that suggest that the cost of model checking strong specifications is practical for several real programs.

Propositional bounded model checking has been applied successfully to verify embedded software but is limited by the increasing propositional formula size and the loss of structure during the translation. These limitations can be reduced... more

Propositional bounded model checking has been applied successfully to verify embedded software but is limited by the increasing propositional formula size and the loss of structure during the translation. These limitations can be reduced by encoding word-level information in theories richer than propositional logic and using SMT solvers for the generated verification conditions. Here, we investigate the application of different SMT solvers to the verification of embedded software written in ANSI-C. We have extended the encodings from previous SMT-based bounded model checkers to provide more accurate support for finite variables, bit-vector operations, arrays, structures, unions and pointers. We have integrated the CVC3, Boolector, and Z3 solvers with the CBMC front-end and evaluated them using both standard software model checking benchmarks and typical embedded applications from telecommunications, control systems and medical devices. The experiments show that our approach can analyze larger problems and substantially reduce the verification time.

The underlying model of computation for PROMELA is based on interacting processes with asynchronous communication, and hence SPIN has been mainly used as a verification engine for concurrent software systems. On the other hand, hardware... more

The underlying model of computation for PROMELA is based on interacting processes with asynchronous communication, and hence SPIN has been mainly used as a verification engine for concurrent software systems. On the other hand, hardware verification has mostly focused on clock synchronous register-transfer level (RTL) models. As a result, verification tools such as SMV which are based on synchronous state machine models have been used more frequently for hardware verification. However, as levels of abstractions are being raised in hardware design and as high-level synthesis is being promoted for synthesizing RTL, hardware design verification problems are changing in nature. In this paper, we consider a specific high-level hardware description langauge, namely, Bluespec System Verilog (BSV). The programming model of BSV is based on concurrent guarded actions, which we also call as Concurrent Action Oriented Specification (CAOS). High-level synthesis from BSV models has been shown to produce efficient RTL designs. Given the industry traction of BSV-based high-level synthesis and associated design flow, we consider the following formal verification problems: (i) Given a BSV specification \({\cal S}\) of a hardware design, does it satisfy certain temporal properties? (ii) Given a BSV specification \({\cal S}\) , and an implementation R synthesized from \({\cal S}\) using a BSV-based synthesis tool, does R conform to the behaviors specified by \({\cal S}\) ; that is, is R a refinement of \({\cal S}\) ? (iii) Given a different implementation R ′ synthesized from \({\cal S}\) using some other BSV-based synthesis tool, is R ′ a refinement of R as well? In this paper, we show how SPIN Model Checker can be used to solve these three problems related to the verification of BSV-based designs. Using a sample design, we illustrate how our approach can be used for verifying whether the designer intent in the BSV specification is accurately matched by its synthesized hardware implementation.

We describe the design and implementation of an automatic invariant generator for imperative programs. While automatic invariant generation through constraint solving has been extensively studied from a theoretical viewpoint as a... more

We describe the design and implementation of an automatic invariant generator for imperative programs. While automatic invariant generation through constraint solving has been extensively studied from a theoretical viewpoint as a classical means of program verification, in practice existing tools do not scale even to moderately sized programs. This is because the constraints that need to be solved even for small programs are already too difficult for the underlying (non-linear) constraint solving engines. To overcome this obstacle, we propose to strengthen static constraint generation with information obtained from static abstract interpretation and dynamic execution of the program. The strengthening comes in the form of additional linear constraints that trigger a series of simplifications in the solver, and make solving more scalable. We demonstrate the practical applicability of the approach by an experimental evaluation on a collection of challenging benchmark programs and comparisons with related tools based on abstract interpretation and software model checking.

We describe the design and implementation of an automatic invariant generator for imperative programs. While automatic invariant generation through constraint solving has been extensively studied from a theoretical viewpoint as a... more

We describe the design and implementation of an automatic invariant generator for imperative programs. While automatic invariant generation through constraint solving has been extensively studied from a theoretical viewpoint as a classical means of program verification, in practice existing tools do not scale even to moderately sized programs. This is because the constraints that need to be solved even for small programs are already too difficult for the underlying (non-linear) constraint solving engines. To overcome this obstacle, we propose to strengthen static constraint generation with information obtained from static abstract interpretation and dynamic execution of the program. The strengthening comes in the form of additional linear constraints that trigger a series of simplifications in the solver, and make solving more scalable. We demonstrate the practical applicability of the approach by an experimental evaluation on a collection of challenging benchmark programs and comparisons with related tools based on abstract interpretation and software model checking.

Predicate abstraction is an automatic technique that can be used to find abstract models of large or infinite-state systems. In tools like Slam, where predicate abstraction is applied to software model checking, a number of heuristic... more

Predicate abstraction is an automatic technique that can be used to find abstract models of large or infinite-state systems. In tools like Slam, where predicate abstraction is applied to software model checking, a number of heuristic approximations must be used to improve the performance of computing an abstraction from a set of predicates. For this reason, Slam can sometimes reach a state in which it is not able to further refine the abstraction. In this paper we report on an application of Das & Dill’s algorithm for predicate abstraction refinement. Slam now uses this strategy lazily to recover precision in cases where the abstractions generated are too coarse. We describe how we have extended Das & Dill’s original algorithm for use in software model checking. Our extension supports procedures, threads, and potential pointer aliasing. We also present results from experiments with Slam on device driver sources from the Windows operating system.

Graph transformation systems have become a general formal modeling language to describe many models in software development process. Behavioral modeling of dynamic systems and model-to-model transformations are only a few examples in... more

Graph transformation systems have become a general formal modeling language to describe many models in software development process. Behavioral modeling of dynamic systems and model-to-model transformations are only a few examples in which graphs have been used to software development. But even the perfect graph transformation system must be equipped with automated analysis capabilities to let users understand whether such a formal specification fulfills their requirements. In this paper, we present a new solution to verify graph transformation systems using the Bogor model checker. The attributed graph grammars (AGG)-like graph transformation systems are translated to Bandera intermediate representation (BIR), the input language of Bogor, and Bogor verifies the model against some interesting properties defined by combining linear temporal logic (LTL) and special-purpose graph rules. Experimental results are encouraging, showing that in most cases our solution improves existing approaches in terms of both performance and expressiveness.