Proof Certificates for SMT-based Model Checkers Alain Mebsout and - PowerPoint PPT Presentation

Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2 nd , 2016

Motivation • Model checkers return error traces but no evidence when they say yes • Complex tools • Goal: improve trustworthiness of these tools • Approach: produce proof certificates • Implemented in Kind 2 2

Motivation • Model checkers return error traces but no evidence when they say yes • Complex tools • Implemented in Kind 2 2 • Goal: improve trustworthiness of these tools • Approach: produce proof certificates

Motivation • Model checkers return error traces but no evidence when they say yes • Complex tools • Implemented in Kind 2 2 • Goal: improve trustworthiness of these tools • Approach: produce proof certificates

Certificate generation and checking

Proof certificate production as a two-steps process 4 Signatures System ! SMT k- induction Theories Property P safety validity Kind 2 SMT2 LFSC CVC4 proofs certificate proof

Intermediate certificates 4 Signatures System ! SMT k- induction Theories Property P safety validity Kind 2 SMT2 LFSC CVC4 proofs certificate proof

Intermediate Certificates where ϕ is k -inductive and implies the property P , 5 k ϕ ⇒ enough to prove that P holds in S = ( x , I , T )

Intermediate Certificates where ϕ is k -inductive and implies the property P , 5 k ϕ ⇒ enough to prove that P holds in S = ( x , I , T ) Kind 2 core BMC k P k -induction max ( k 1 …k n ) ϕ 1 ∧ … ∧ ϕ n Supervisor k ϕ 1 P ∧ C ... IC3 (check-sat) SMT-LIB2 k i I Inv Gen

Minimization of Intermediate (SMT-LIB 2) Certificates Two dimensions : • reduce k • simplify inductive invariant • simplify with unsat cores • simplify with counter-examples to induction Rationale : easier to check a smaller/simpler certificate 6

from unsat core : R A taste of certificate minimization P R - no : restart with P - yes : keep R P R T P R n 1 7 (1) Trimming invariants property P invariants certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) ∧ T ∧ ¬ P ′ | φ 1 ∧ . . . ∧ φ n ∧ = ⊥ � �� � ����

A taste of certificate minimization (1) Trimming invariants P R - no : restart with P - yes : keep R P R T P R 7 property P invariants certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) ∧ T ∧ ¬ P ′ | φ 1 ∧ . . . ∧ φ n ∧ = ⊥ � �� � ���� from unsat core : R ⊆ { φ 1 ∧ . . . ∧ φ n }

A taste of certificate minimization P P R - no : restart with P - yes : keep R (1) Trimming invariants property 7 invariants certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) ∧ T ∧ ¬ P ′ | φ 1 ∧ . . . ∧ φ n ∧ = ⊥ � �� � ���� from unsat core : R ⊆ { φ 1 ∧ . . . ∧ φ n } ? = R ′ ∧ P ′ R ∧ P ∧ T |

A taste of certificate minimization invariants - yes : keep R (1) Trimming invariants P property 7 certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) ∧ T ∧ ¬ P ′ | φ 1 ∧ . . . ∧ φ n ∧ = ⊥ � �� � ���� from unsat core : R ⊆ { φ 1 ∧ . . . ∧ φ n } ? = R ′ ∧ P ′ R ∧ P ∧ T | - no : restart with P := R ∧ P

from model A taste of certificate minimization (cont.) R R P P R such that 8 R (2) Cherry-picking invariants � �� � certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) = P ′ P ∧ T ̸|

A taste of certificate minimization (cont.) (2) Cherry-picking invariants R R P P 8 R � �� � certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) = P ′ P ∧ T ̸| from model M : φ ∈ R such that M ̸| = φ

A taste of certificate minimization (cont.) (2) Cherry-picking invariants R 8 � �� � certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) = P ′ P ∧ T ̸| from model M : φ ∈ R such that M ̸| = φ P := φ ∧ P R := R \ { φ }

Front End Certificates

Front end certificates in Kind 2 Translation from one formalism to another are sources of error In Kind 2, • several intermediate representations • many simplifications (slicing, path compression, encodings, …) How to trust the translation from input language to internal FOL representation ? Lightweight verification akin to Multiple-Version Dissimilar Software Verification of DO-178C (12.3.2) 10

Front end certificates in Kind 2 Translation from one formalism to another are sources of error In Kind 2, • several intermediate representations • many simplifications (slicing, path compression, encodings, …) How to trust the translation from input language to internal FOL representation ? Lightweight verification akin to Multiple-Version Dissimilar Software Verification of DO-178C (12.3.2) 10

Front end certificates in Kind 2 Translation from one formalism to another are sources of error In Kind 2, • several intermediate representations • many simplifications (slicing, path compression, encodings, …) How to trust the translation from input language to internal FOL representation ? Lightweight verification akin to Multiple-Version Dissimilar Software Verification of DO-178C (12.3.2) 10

Front end certificates in Kind 2: approach 11 Observer of S 1 = ( x 1 , I 1 , T 1 ) Kind 2 equivalence ( OBS ) frontend P 1 x obs = x 1 ] x 2 S obs Lustre input file P obs ( x obs ) = x 1 ∼ x 2 S 2 = ( x 2 , I 2 , T 2 ) JKind frontend Native input P 2 Kind 2 core Previous certification chain for Kind 2 SMT-LIB 2 + CVC4 LFSC C ( S obs , P obs ) SMT2 Front End certificate ( FEC )

LFSC Proofs

Producing proofs 13 Signatures System ! SMT k- induction Theories Property P safety validity Kind 2 SMT2 LFSC CVC4 proofs certificate proof

Producing proofs of invariance input system certificate produced by Kind 2 1. is k -inductive 2. implies P independently machine-checkable proof 14 S = ( s , I [ s ] , T [ s , s ′ ]) : P [ s ] : property proven invariant for S ( k , φ [ s ]) : • We can formally check that φ • Our goal: produce a detailed, self-contained and

Proving invariance by k -induction input system certificate produced by Kind 2 15 S = ( s , I [ s ] , T [ s , s ′ ]) : P [ s ] : property proven invariant for S ( k , φ [ s ]) : φ is a k -inductive strengthening of P : I [ s 0 ] ∧ T [ s 0 , s 1 ] ∧ . . . ∧ T [ s k − 2 , s k − 1 ] ⊨ φ [ s 0 ] ∧ . . . ∧ φ [ s k − 1 ] ( base k ) φ [ s 0 ] ∧ T [ s 0 , s 1 ] ∧ . . . ∧ φ [ s k − 1 ] ∧ T [ s k − 1 , s k ] ⊨ φ [ s k ] ( step k ) φ [ s ] ⊨ P [ s ] ( implication )

Proving invariance by k -induction input system certificate produced by Kind 2 15 S = ( s , I [ s ] , T [ s , s ′ ]) : P [ s ] : property proven invariant for S ( k , φ [ s ]) : φ is a k -inductive strengthening of P : I [ s 0 ] ∧ T [ s 0 , s 1 ] ∧ . . . ∧ T [ s k − 2 , s k − 1 ] ⊨ φ [ s 0 ] ∧ . . . ∧ φ [ s k − 1 ] ( base k ) φ [ s 0 ] ∧ T [ s 0 , s 1 ] ∧ . . . ∧ φ [ s k − 1 ] ∧ T [ s k − 1 , s k ] ⊨ φ [ s k ] ( step k ) φ [ s ] ⊨ P [ s ] ( implication )

Approach step Use CVC4 to generate proofs for the validity of each sub-case implication 16 base reuses the proofs of CVC4 Kind 2 generates a proof of invariance by k -induction and LFSC proof LFSC proof LFSC proof from from from CVC4 CVC4 CVC4 LFSC proof of invariance and safety constructed by Kind 2

LFSC rules 17 Signatures System ! SMT k- induction Theories Property P safety validity Kind 2 SMT2 LFSC CVC4 proofs certificate proof

LFSC encodings Encoding of Lustre variables as functions over naturals (indexes) In the LFSC proof: 18 In Lustre node main (a: bool ) returns (OK: bool ) var b: bool ; ... In the LFSC signature: ( declare index sort ) ( declare ind int → index) ( declare a ( term (arrow index Bool))) ( declare b ( term (arrow index Bool))) ( declare OK ( term (arrow index Bool))) ...

LFSC encodings (cont.) Predicates and relations over copies of the same state 19 ⇝ predicates/relations over indexes • P ( s i ) P s ( i ) ⇝ • R ( s i , s j ) ⇝ R s ( i , j )

LFSC encodings (cont.) Predicates and relations over copies of the same state 19 ⇝ predicates/relations over indexes • P ( s i ) P s ( i ) ⇝ • R ( s i , s j ) ⇝ R s ( i , j ) In the LFSC signature: ;; relations over indexes (used for transition relation) ( define rel int → int → formula) ;; sets over indexes (used for initial formula and properties) ( define set int → formula) ;; derivability judgment for invariance proofs ( declare invariant set → rel → set → type )

LFSC encodings (cont.) Predicates and relations over copies of the same state In the LFSC proof: 19 ⇝ predicates/relations over indexes • P ( s i ) P s ( i ) ⇝ • R ( s i , s j ) ⇝ R s ( i , j ) ;; encoding of property ( define P : set ( λ i . (p_app (apply _ _ OK ( int i))))) ;; encoding of transition relation ( define T : rel ( λ i . λ j . ...))