specification of concretization and symbolization
play

Specification of Concretization and Symbolization Policies in - PowerPoint PPT Presentation

Nov 01, 2022 •241 likes •862 views

Specification of Concretization and Symbolization Policies in Symbolic Execution S ebastien Bardin joint work with Robin David, Josselin Feist, Laurent Mounier, Marie-Laure Potet, Thanh Dihn Ta, Jean-Yves Marion CEA LIST (Paris-Saclay,

  1. Specification of Concretization and Symbolization Policies in Symbolic Execution S´ ebastien Bardin joint work with Robin David, Josselin Feist, Laurent Mounier, Marie-Laure Potet, Thanh Dihn Ta, Jean-Yves Marion CEA LIST (Paris-Saclay, France) ISSTA 2016 Bardin et al. ISSTA 2016 1/ 27

  2. Preamble Takeaway Dynamic Symbolic Execution (DSE) : powerful approach to verif. and testing three key ingredients : path predicate computation & solving, path search, concretization & symbolization policy (C/S) C/S is an essential part, yet mostly not studied many policies (one per tool), no systematic study of C/S undocumented, unclear tools : often a single hardcoded policy, no reuse across tools Our goal : establish C/S as a proper field of study [focus first on specification] CSML, a specification language for C/S � ◮ clear, non-ambiguous [documentation] ◮ tool independent [reuse, sharing, tuning] ◮ executable [input for tools] implemented in BINSEC � an experimental comparison of C/S policies � Bardin et al. ISSTA 2016 2/ 27

  3. Preamble About formal verification Between Software Engineering and Theoretical Computer Science Goal = proves correctness in a mathematical way Key concepts : M | = ϕ Kind of properties absence of runtime error M : semantic of the program pre/post-conditions ϕ : property to be checked | = : algorithmic check temporal properties Bardin et al. ISSTA 2016 3/ 27

  4. Preamble From (a logician’s) dream to reality Industrial reality in some key areas, especially safety-critical domains hardware, aeronautics [airbus], railroad [metro 14], smartcards, drivers [Windows], certified compilers [CompCert] and OS [Sel4], etc. Ex : Airbus Verification of runtime errors [Astr´ ee] functional correctness [Frama-C] numerical precision [Fluctuat] source-binary conformance [CompCert] ressource usage [Absint] Bardin et al. ISSTA 2016 4/ 27

  5. Preamble Next big challenge Apply formal methods to less-critical software Very different context : no formal spec, less developer involvement, etc. Difficulties robustness [w.r.t. software constructs] no place for false alarms scale sometimes, not even source code Bardin et al. ISSTA 2016 5/ 27

  6. Preamble Next big challenge Apply formal methods to less-critical software Very different context : no formal spec, less developer involvement, etc. Difficulties DSE as a first step robustness [w.r.t. software constructs] very robust no place for false alarms (mostly) no false alarm scale scale in some ways sometimes, not even source code ok for binary code Bardin et al. ISSTA 2016 5/ 27

  7. DSE in a nutshell Introducing DSE Dynamic Symbolic Execution [since 2004-2005 : dart, cute, pathcrawler ] a very powerful formal approach to verification and testing many tools and successful case-studies since mid 2000’s ◮ SAGE, Klee, Mayhem, etc. ◮ coverage-oriented testing, bug finding, exploit generation, reverse arguably one of the most wide-spread use of formal methods Very good properties mostly no false alarm, robust, scale, ok for binary code Bardin et al. ISSTA 2016 6/ 27

  8. DSE in a nutshell Introducing DSE Dynamic Symbolic Execution [since 2004-2005 : dart, cute, pathcrawler ] a very powerful formal approach to verification and testing many tools and successful case-studies since mid 2000’s ◮ SAGE, Klee, Mayhem, etc. ◮ coverage-oriented testing, bug finding, exploit generation, reverse arguably one of the most wide-spread use of formal methods Very good properties mostly no false alarm, robust, scale, ok for binary code Key idea : path predicate [King 70’s] consider a program P on input v , and a given path σ a path predicate ϕ σ for σ is a formula s.t. v | = ϕ σ ⇒ P(v) follows σ intuitively the conjunction of all branching conditions old idea, recent renew interest [powerful solvers, dynamic+symbolic] Bardin et al. ISSTA 2016 6/ 27

  9. DSE in a nutshell DSE int main () { σ := ∅ int x = input(); PC := ⊤ int y = input(); x = input() int z = 2 * y; y = input() z = 2 * y if (z == x) { if (x > y + 10) σ := { x → x 0 , y → y 0 , z → 2 y 0 } failure; } z == x success; PC := ⊤ ∧ 2 y 0 = x 0 } x > y + 10 PC := ⊤ ∧ 2 y 0 � = x 0 given a path of the program automatically find input that PC := ⊤ ∧ 2 y 0 = x 0 ∧ x 0 > y 0 + 10 follows the path PC := ⊤ ∧ 2 y 0 = x 0 ∧ x 0 ≤ y 0 + 10 then, iterate over all paths Bardin et al. ISSTA 2016 7/ 27

  10. DSE in a nutshell DSE int main () { σ := ∅ int x = input(); PC := ⊤ int y = input(); Three key ingredients x = input() int z = 2 * y; y = input() path predicate computation & solving z = 2 * y if (z == x) { if (x > y + 10) path search σ := { x → x 0 , y → y 0 , z → 2 y 0 } failure; C/S policy } z == x success; PC := ⊤ ∧ 2 y 0 = x 0 } x > y + 10 PC := ⊤ ∧ 2 y 0 � = x 0 given a path of the program automatically find input that PC := ⊤ ∧ 2 y 0 = x 0 ∧ x 0 > y 0 + 10 follows the path PC := ⊤ ∧ 2 y 0 = x 0 ∧ x 0 ≤ y 0 + 10 then, iterate over all paths Bardin et al. ISSTA 2016 7/ 27

  11. DSE in a nutshell Path predicate computation Usually easy to compute [forward, introduce new logical variables at each step] Loc Instruction input(y,z) 0 1 w := y+1 x := w + 3 2 if (x < 2 * z) [True branch] 3 4 if (x < z) [False branch] Path predicate (input Y 0 et Z 0 ) Bardin et al. ISSTA 2016 8/ 27

  12. DSE in a nutshell Path predicate computation Usually easy to compute [forward, introduce new logical variables at each step] Loc Instruction input(y,z) 0 1 w := y+1 x := w + 3 2 if (x < 2 * z) [True branch] 3 4 if (x < z) [False branch] Path predicate (input Y 0 et Z 0 ) let W 1 � Y 0 + 1 in Bardin et al. ISSTA 2016 8/ 27

  13. DSE in a nutshell Path predicate computation Usually easy to compute [forward, introduce new logical variables at each step] Loc Instruction input(y,z) 0 1 w := y+1 x := w + 3 2 if (x < 2 * z) [True branch] 3 4 if (x < z) [False branch] Path predicate (input Y 0 et Z 0 ) let W 1 � Y 0 + 1 in let X 2 � W 1 + 3 in Bardin et al. ISSTA 2016 8/ 27

  14. DSE in a nutshell Path predicate computation Usually easy to compute [forward, introduce new logical variables at each step] Loc Instruction input(y,z) 0 1 w := y+1 x := w + 3 2 if (x < 2 * z) [True branch] 3 4 if (x < z) [False branch] Path predicate (input Y 0 et Z 0 ) let W 1 � Y 0 + 1 in let X 2 � W 1 + 3 in X 2 < 2 × Z 0 Bardin et al. ISSTA 2016 8/ 27

  15. DSE in a nutshell Path predicate computation Usually easy to compute [forward, introduce new logical variables at each step] Loc Instruction input(y,z) 0 1 w := y+1 x := w + 3 2 if (x < 2 * z) [True branch] 3 4 if (x < z) [False branch] Path predicate (input Y 0 et Z 0 ) let W 1 � Y 0 + 1 in let X 2 � W 1 + 3 in X 2 < 2 × Z 0 ∧ X 2 ≥ Z 0 Bardin et al. ISSTA 2016 8/ 27

  16. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

  17. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

  18. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

  19. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

  20. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

  21. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

  22. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

Recommend

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,)

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,)

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,) Armando)Solar@Lezama 2 ,)and)Jeffrey)S.)Foster 1) ) 1.)University)of)Maryland,)College)Park) 2.)MIT)CSAIL ) Syntax@guided)Synthesis) bit[32]

579 views • 57 slides
Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,)

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,)

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,) Armando)Solar@Lezama 2 ,)and)Jeffrey)S.)Foster 1) ) 1.)University)of)Maryland,)College)Park) 2.)MIT)CSAIL ) Syntax@guided)Synthesis) bit[32]

310 views • 27 slides
1 Good Requirements Graphical Languages? Specification Qualities Examples: Complete -

1 Good Requirements Graphical Languages? Specification Qualities Examples: Complete -

REQUIREMENT SPECIFICATION The Basic Waterfall Model Today: Requirements Specification Requirements Requirements tell us what the system should do - specification not how it should do it. Analysis &amp; Requirements are

363 views • 3 slides
Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification Transition systems 2

798 views • 62 slides
REQUIREMENT Requirement specification SPECIFICATION motivation and basics Today:

REQUIREMENT Requirement specification SPECIFICATION motivation and basics Today:

REQUIREMENT Requirement specification SPECIFICATION motivation and basics Today: Requirements Specification Requirement specification is generally a crucial phase of an Jyrki Nummenmaa University of Tampere, CS Department Jyrki

244 views • 3 slides
Formal Specification and Verification Formal specification Temporal logic 12.06.2012

Formal Specification and Verification Formal specification Temporal logic 12.06.2012

Formal Specification and Verification Formal specification Temporal logic 12.06.2012 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Formal specification Specification for program/system Specification for

443 views • 21 slides
specification free monitoring CS 119 can we avoid writing specs? specification and programming

specification free monitoring CS 119 can we avoid writing specs? specification and programming

specification free monitoring CS 119 can we avoid writing specs? specification and programming specification runtime verification program input output 2 properties can be hard to write To quote quite excellent NASA software engineer

987 views • 65 slides
Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification 2 Formal

627 views • 19 slides
Software specification in CASL - The Common Algebraic Specification Language Till Mossakowski,

Software specification in CASL - The Common Algebraic Specification Language Till Mossakowski,

Software specification in CASL - The Common Algebraic Specification Language Till Mossakowski, Lutz Schr oder October 2006 2 Overview Why formal specification? Waterfall Model Example: sorting CASL the Common Algebraic

542 views • 43 slides
Formal Specification Techniques Knowledge of typical approaches to formal software specification

Formal Specification Techniques Knowledge of typical approaches to formal software specification

Goals Understanding of the motivation of mathematical approaches to software specification Formal Specification Techniques Knowledge of typical approaches to formal software specification CAS 707 and verification McMaster University, Winter

106 views • 6 slides
Looking Ahead Developing New Products and Specification Updates Specification Review Project

Looking Ahead Developing New Products and Specification Updates Specification Review Project

Looking Ahead Developing New Products and Specification Updates Specification Review Project Establish a timeline for annual research/new product development Seek versatile, high volume products that could be offered to both schools

430 views • 17 slides
Specification and Analysis of Contracts Lecture 7 Specification of Deontic Contracts Using

Specification and Analysis of Contracts Lecture 7 Specification of Deontic Contracts Using

Specification and Analysis of Contracts Lecture 7 Specification of Deontic Contracts Using CL Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov. 7,

873 views • 54 slides
What is a Compiler? A compiler translates a source specification into a target specification.

What is a Compiler? A compiler translates a source specification into a target specification.

8/27/2012 What is a Compiler? A compiler translates a source specification into a target specification. Traditionally, we consider compilers that take a source language and produce CS 1622: target (machine) code. However, there can be many

305 views • 3 slides
Identification and Specification of Identification and Specification of NGN Service and Control

Identification and Specification of Identification and Specification of NGN Service and Control

I nternational Telecom m unication Union ITU-T Identification and Specification of Identification and Specification of NGN Service and Control NGN Service and Control Requirements Requirements Tobey Trygar Telcordia Technologies I TU-T W

703 views • 21 slides
A Hierarchy of System Specification Basis of System Specification 1. Set Theory 2. Time Base 3.

A Hierarchy of System Specification Basis of System Specification 1. Set Theory 2. Time Base 3.

A Hierarchy of System Specification Basis of System Specification 1. Set Theory 2. Time Base 3. Segments and Trajectories Hierarchy of System Specification (causal, deterministic) 1. I/O Observation Frame 2. I/O Observation Relation

794 views • 58 slides
Community Navigation m 1 st October 2018 Agenda Service Specification Background

Community Navigation m 1 st October 2018 Agenda Service Specification Background

Community Navigation m 1 st October 2018 Agenda Service Specification Background Contract Design Tender Process Timelines Feedback and Questions Draft Specification On Friday, a draft version of the specification was

353 views • 20 slides
Examining the Software Specification [Reading assignment: Chapter 4, pp. 54-62] Testing the

Examining the Software Specification [Reading assignment: Chapter 4, pp. 54-62] Testing the

Examining the Software Specification [Reading assignment: Chapter 4, pp. 54-62] Testing the specification You do not need to have code to start testing. Testing the specification can save on time and cost later on. Also, mistakes

742 views • 30 slides
Specification-Based Testing 1 Stuart Anderson Stuart Anderson Specification-Based Testing 1

Specification-Based Testing 1 Stuart Anderson Stuart Anderson Specification-Based Testing 1

Specification-Based Testing 1 Stuart Anderson Stuart Anderson Specification-Based Testing 1 2011 c 1 Overview Basic terminology A view of faults through failure Systematic versus randomised testing A systematic approach to

492 views • 32 slides
Specification Formalisms for LTSs Xinxin Liu Institute of Software Chinese Academy of Sciences

Specification Formalisms for LTSs Xinxin Liu Institute of Software Chinese Academy of Sciences

1 Specification Formalisms for LTSs Xinxin Liu Institute of Software Chinese Academy of Sciences BASICS2009 2 Outline: 1. Background 2. Issues in specification formalisms 3. Some specification formalisms 4. HML with single alternation of

710 views • 23 slides
200511316 200511316 Test plan Test design specification g p

200511316 200511316 Test plan Test design specification g p

200511316 200511316 Test plan Test design specification g p Test case specification Test procedure specification Test procedure specification Test item transmittal report Test log l Test

493 views • 38 slides
by Maciej Klepacki Characteristics of Specification By Example (Behavior Driven Development)

by Maciej Klepacki Characteristics of Specification By Example (Behavior Driven Development)

Specification By Example smarter way to create software by Maciej Klepacki Characteristics of Specification By Example (Behavior Driven Development) Scope is directly steered by business goals User Stories are created together with

936 views • 14 slides
Software Requirements and Specification Review the Specifiction Review the Specifiction SE3821

Software Requirements and Specification Review the Specifiction Review the Specifiction SE3821

Software Requirements and Specification Review the Specifiction Review the Specifiction SE3821 - Jay Urbain 1 Reviewing the Specification 2 Reviewing the Specification 3 Releasing the Specification At some stage in the requirements

462 views • 23 slides
Declarative Specification of FSM-Inference Algorithms InvariMint Observations Model

Declarative Specification of FSM-Inference Algorithms InvariMint Observations Model

Declarative Specification of FSM-Inference Algorithms InvariMint Observations Model Declarative specification Ivan Beschastnikh Yuriy Brun Jenny Abrahamson Michael D. Ernst University of Washington UMass. Amherst Arvind Krishnamurthy

1.34k views • 75 slides
INF5140 Specification and Verification of Parallel Systems Logics, lecture 2 Spring 2015

INF5140 Specification and Verification of Parallel Systems Logics, lecture 2 Spring 2015

INF5140 Specification and Verification of Parallel Systems Logics, lecture 2 Spring 2015 February 20, 2015 1 / 37 Introduction Today: we start with the specification language Logic is the specification language for us. There are many

1.04k views • 37 slides

More recommend