Voting Machines and Voting Machines and Automotive Software: Automotive Software: Explorations with SMT at Scale Explorations with SMT at Scale Sanjit A. Seshia Sanjit A. Seshia EECS Department EECS Department UC Berkeley UC Berkeley Joint work with: Bryan Brady, Randy Bryant, Susmit Jha, Jon Kotker, John O’Leary, Alexander Rakhlin, Cynthia Sturton, David Wagner March 2011
Three Stories Three Stories Verified Voting Machine Verified Voting Machine – High High- -confidence Interactive System confidence Interactive System – – SMT solving can exponentially reduce the number SMT solving can exponentially reduce the number – of UI tests by humans of UI tests by humans GameTime GameTime – Timing Analysis of Embedded Software Timing Analysis of Embedded Software – – SMT solving can enable systematic SMT solving can enable systematic – measurement- -based timing analysis based timing analysis measurement UCLID / ATLAS UCLID / ATLAS – Verification of High Verification of High- -Level Hardware Designs Level Hardware Designs – – SMT solving sometimes needs help! SMT solving sometimes needs help! – (automatic abstraction to suitable theories) (automatic abstraction to suitable theories) – 2 –
Electronic Voting Machines Electronic Voting Machines 2010 U.S. elections statistics 2010 U.S. elections statistics [ [verifiedvoting.org verifiedvoting.org] ] – 25% of registered voters – 25% of registered voters had to use paperless had to use paperless electronic voting machines electronic voting machines – In In 11 states 11 states, paperless voting accounts for most or all , paperless voting accounts for most or all – Election Day ballots Election Day ballots Concerns about Concerns about correctness correctness and and security security 2010 elections – 3 – [verifiedvoting.org]
Voting Machines in the News Voting Machines in the News Jefferson County Voters Continue To Raise Concerns About Voting Machines “… voters complained that when they selected a particular candidate, another candidate’s name would light up.” KDFM ‐ TV Channel Six News. Oct. 28, 2006 Can You Count on Voting Machines? “Sliding finger bug on the Diebold AccuVote ‐ TSX … machine would crash every few hundred ballots” The New York Times Magazine. Jan 6, 2008. – 4 –
A Typical DRE A Typical DRE Contest: a particular race on the ballot Contest: a particular race on the ballot – E.g., Presidential E.g., Presidential – l choices, pick l – k k choices, pick – Voter session: a sequence of contests Navigate back and forth voterescue.org Cast: commit all choices for all contests The last step of a voter session – 5 –
Our Contribution Our Contribution Testing by humans + formal verification Testing by humans + formal verification can can prove a voting machine will work correctly on prove a voting machine will work correctly on election day election day Designed a simplified voting machine and Designed a simplified voting machine and proved its correctness using formal methods proved its correctness using formal methods – Direct recording electronic voting machine (DRE) Direct recording electronic voting machine (DRE) – synthesized onto an FPGA synthesized onto an FPGA – Verification by Model checking and SMT solving Verification by Model checking and SMT solving – – Finite, polynomial number of tests Finite, polynomial number of tests – (to be conducted by humans) (to be conducted by humans) Publication: C. Sturton, S. Jha, S. A. Seshia and D. Wagner, “On Voting Machine Design for Verification and Testability”, ACM CCS 2009. – 6 –
Correctness: Trace Equivalence Correctness: Trace Equivalence Contest 1, Contest 1, . . . no selections “Alice” Tester Button 1 How to model? . . . (1, ø) (1, {“Alice”}) . . . Implementation – 7 –
Testing: What Tests are Sufficient? Testing: What Tests are Sufficient? ? = 1: Alice b1 b2 b3 cast … 2: Yes 3: Eve What sequences (b1, b2, b3, …, cast) are sufficient for testing? Problem: Infinitely many input sequences! Consider for a single contest: Alice (A) vs. Bob (B) A A B B … – 8 –
Formal Verification to the Rescue Formal Verification to the Rescue Verify the following properties on the code: Verify the following properties on the code: P0. The DRE implementation is deterministic deterministic P0. The DRE implementation is P1. Each unique output screen represents a unique Each unique output screen represents a unique P1. internal state internal state – output display function is injective (1 output display function is injective (1- -1) function 1) function – of selection state and contest number of selection state and contest number P2. The final cast vote record accurately reflects P2. The final cast vote record accurately reflects the selection state the selection state – 9 –
Multiple Contests: Exponential Blowup Multiple Contests: Exponential Blowup next next Alice Yes Eve prev prev Bob No Mallory N contests, 1-of-k choice in each contest k N total combinations An SMT-based verification step can reduce the number of choices to simply N*k ! – 10 –
Additional Properties to be Verified Additional Properties to be Verified P3. Contests are Independent Contests are Independent: Updating the state : Updating the state P3. of one contest has no effect on any other contest of one contest has no effect on any other contest P4. Navigation does not affect Selection Navigation does not affect Selection: A : A P4. navigation button does not affect the selection navigation button does not affect the selection state of any contest state of any contest P5. Selection does not affect Navigation Selection does not affect Navigation: A : A P5. selection button does not navigate to a new selection button does not navigate to a new contest contest – 11 –
Verifying Independence/Determinism Verifying Independence/Determinism Verify that a variable v is a function of variable v is a function of Verify that a W = {w1, w2, … … wk} AND nothing else wk} AND nothing else W = {w1, w2, (S,S’,I,O) , Encode next Encode next- -state and state and S’ = (S,I) ∧ O = (S) output functions as logical output functions as logical formulas formulas Check validity of the Check that value of v is Check that value of v is formula not affected by changes not affected by changes { (S 1 ,S 1 ’,I 1 ,O 1 ) ∧ to variables other than W to variables other than W (consider two runs in (consider two runs in (S 2 ,S 2 ’,I 2 ,O 2 ) ∧ which W variables have which W variables have ∀ w ∈ W. w 1 = w 2 } same initial value) same initial value) ⇒ v 1 ‘ = v 2 ’ – 12 –
Experience with SMT Solvers Experience with SMT Solvers Original HW implementation Original HW implementation – Small screen, rendered in hardware Small screen, rendered in hardware – – Bit Bit- -vector SMT solvers (circa 2009) worked fine vector SMT solvers (circa 2009) worked fine – Beaver (developed in my group) Beaver (developed in my group) Moved to combined HW Moved to combined HW- -SW implementation SW implementation – Larger screen, more complex GUI, rendered in Larger screen, more complex GUI, rendered in – software software – Bit Bit- -vector solvers no longer scaled vector solvers no longer scaled – – Solution: Use quantified linear arithmetic with Solution: Use quantified linear arithmetic with – uninterpreted functions and arrays; compositional functions and arrays; compositional uninterpreted reasoning reasoning 2009: Still too difficult for SMT solvers, Z3 returned 2009: Still too difficult for SMT solvers, Z3 returned “unknown unknown” ” “ 2011: Progress! Z3 solves it. 2011: Progress! Z3 solves it. – 13 –
Timing Analysis of Embedded Software Timing Analysis of Embedded Software Does the brake-by-wire software always actuate the brakes within 1 ms? Can the pacemaker software trigger a pace more frequently than prescribed? – 14 –
The Challenge of Timing Analysis The Challenge of Timing Analysis Several timing analysis problems: Several timing analysis problems: Worst Worst- -case execution time ( case execution time (WCET WCET) estimation ) estimation Threshold Threshold property: can a program take property: can a program take more/less time than it is supposed to? more/less time than it is supposed to? Estimating Estimating distribution distribution of execution times of execution times Software Software- -in in- -the the- -loop simulation loop simulation: predict : predict execution time of particular program path execution time of particular program path Challenge: Platform Modeling – 15 –
Recommend
More recommend
