A Survey of Satisfiability Modulo Theory

Satisfiability modulo theory (SMT) consists in testing the satisfiability of first-order formulas over linear integer or real arithmetic, or other theories. In this survey, we explain the combination of propositional satisfiability and decision procedures for conjunctions known as DPLL(T), and the alternative "natural domain" approaches. We also cover quantifiers, Craig interpolants, polynomial arithmetic, and how SMT solvers are used in automated software analysis.Comment: Computer Algebra in Scientific Computing, Sep 2016, Bucharest, Romania. 201

A Survey of Satisfiability Modulo Theory

International audienceSatisfiability modulo theory (SMT) consists in testing the satisfiability of first-order formulas over linear integer or real arithmetic, or other theories. In this survey, we explain the combination of propositional satisfiability and decision procedures for conjunctions known as DPLL(T), and the alternative "natural domain" approaches. We also cover quantifiers, Craig interpolants, polynomial arithmetic, and how SMT solvers are used in automated software analysis

A Posthumous Contribution by {Larry Wos}: {E}xcerpts from an Unpublished Column

International audienceShortly before Larry Wos passed away, he sent a manuscript for discussion to Sophie Tourret, the editor of the AAR newsletter. We present excerpts from this final manuscript, put it in its historic context and explain its relevance for today’s research in automated reasoning

Improving the formal verification of reachability policies in virtualized networks

Network Function Virtualization (NFV) and Software Defined Networking (SDN) are new emerging paradigms that changed the rules of networking, shifting the focus on dynamicity and programmability. In this new scenario, a very important and challenging task is to detect anomalies in the data plane, especially with the aid of suitable automated software tools. In particular, this operation must be performed within quite strict times, due to the high dynamism introduced by virtualization. In this paper, we propose a new network modeling approach that enhances the performance of formal verification of reachability policies, checked by solving a Satisfiability Modulo Theories (SMT) problem. This performance improvement is motivated by the definition of function models that do not work on single packets, but on packet classes. Nonetheless, the modeling approach is comprehensive not only of stateless functions, but also stateful functions such as NATs and firewalls. The implementation of the proposed approach achieves high scalability in complex networked systems consisting of several heterogeneous functions

CHAUSSETTE: A Symbolic Verification of Bitcoin Scripts

peer reviewedThe Bitcoin protocol relies on scripts written in SCRIPT, a simple Turing-incomplete stack-based language, for locking the money carried over the Bitcoin network. This paper explores the usage of symbolic execution for finding transactions that permit to redeem the money without being the legitimate owner. In particular, we show in detail how using insecure scripts could have led to security breaches, resulting in bitcoins theft. Our contributions include (i) a quantification of the vulnerable script instances over the full Bitcoin history up to Feburary, 4th 2023; (ii) the development and open source publication of a symbolic execution tool, called CHAUSSETTE; (iii) the description of how to use CHAUSSETTE to perform the attack; and, (iv) a discussion around a way to secure vulnerable money

Symbolic Methods for Biological Networks D2.1 Report on Scalable Methods for Tropical Solutions (T1.2): ANR-DFG SYMBIONT Project ANR-17-CE40-0036

Tropical geometry can be used to find the order of time scales of variables in chemical reaction networks and search for model reductions [SGF+15]. In this report, we consider the problem of solving tropical equilibration problems in ODE systems of the BioModels model repository. We are interested in the existence of solutions both in R and Z. We present three methods and study their scalability to solve complete equilibration problems. The first two methods, a naive polyhedral method using PtCut [Lüd20c], and a Satisfiability Modulo Theories (SMT) method recently introduced in [Lüd20a] using the SMT solver CVC4 [BCD+11], compute the set of solutions over real numbers. The SMT approach is significantly faster than the polyhedral approach, by up to two orders of magnitude. Furthermore, this method provides an anytime algorithm, thus offering a way to compute parts of the solution when the polyhedral approach is infeasible. The third method, the Constraint Programming (CP) method presented in [SFR14] and implemented in Biocham-4, computes integer equilibrations. The CP approach presents similar performance as the SMT method, mostly below two minutes computation time for the polynomial and rational fractional ODE systems in this benchmark. This method also reveals that 30% of the models that can be equilibrated over the reals have in fact no integer solution. These evaluation results show the scalability of the SMT and CP solvers for solving both real and integer tropical equilibration problems on real-size problems

An Efficient Canonical Narrowing Implementation with Irreducibility and SMT Constraints for Generic Symbolic Protocol Analysis

Narrowing and unification are very useful tools for symbolic analysis of rewrite theories, and thus for any model that can be specified in that way. A very clear example of their application is the field of formal cryptographic protocol analysis, which is why narrowing and unification are used in tools such as Maude-NPA, Tamarin and Akiss. In this work we present the implementation of a canonical narrowing algorithm, which improves the standard narrowing algorithm, extended to be able to process rewrite theories with conditional rules. The conditions of the rules will contain SMT constraints, which will be carried throughout the execution of the algorithm to determine if the solutions have associated satisfiable or unsatisfiable constraints, and in the latter case, discard them.Comment: 41 pages, 7 tables, 1 algorithm, 9 example

Towards a quantitative alloy

Dissertação de mestrado integrado em Engenharia InformáticaWhen one comes across a new problem that needs to be solved, by abstracting from its associated details in a simple and concise way through the use of formal methods, one is able to better understand the matter at hand. Alloy (Jackson, 2012), a declarative specification language based on relational logic, is an example of an effective modelling tool, allowing high-level specification of potentially very complex systems. However, along with the irrelevant information, measurable data of the system is often lost in the abstraction as well, making it not as adequate for certain situations. The Alloy Analyzer represents the relations under analysis by Boolean matrices. By extending this type of structure to: • numeric matrices, over N0 , one is able to work with multirelations, i.e. relations whose arcs are weighted; each tuple is thus associated with a natural number, which allows reasoning in a similar fashion as in optimization problems and integer programming techniques; • left-Stochastic matrices, one is able to model faulty behaviour and other forms of quantitative information about software systems in a probabilistic way; in particular, this introduces the notion of a probabilistic contract in software design. Such an increase in Alloy’s capabilities strengthens its position in the area of formal methods for software design, in particular towards becoming a quantitative formal method. This dissertation explores the motivation and importance behind quantitative analysis by studying and establishing theoretical foundations through categorial approaches to accomplish such reasoning in Alloy. This starts by reviewing the required tools to support such groundwork and proceeds to the design and implementation of such a quantitative Alloy extension. This project aims to promote the evolution of quantitative formal methods by successfully achieving quantitative abstractions in Alloy, extending its support to these concepts and implementing them in the Alloy Analyzer.Quando se depara com um novo problema que precisa de ser resolvido, ao abstrair dos seus detalhes associados de forma simples e concisa recorrendo a métodos formais, é possível compreender melhor o assunto em questão. Alloy (Jackson, 2012), uma linguagem de especificação declarativa baseada em lógica relacional, é um exemplo de uma ferramenta de modelação eficaz, possibilitando especificações de alto-nível de sistemas potencialmente bastante complexos. Contudo, em conjunto com a informação irrelevante, os dados mensuráveis são muitas vezes também perdidos na abstração, tornando-a não tão adequada para certas situações. O Alloy Analyzer representa as relações sujeitas a análise através de matrizes Booleanas. Ao estender este tipo de estrutura para: • matrizes numéricas, em N0 , é possível lidar com multirelações, i.e., relações cujos arcos são pesados; cada tuplo é consequentemente associado a um número natural, o que proporciona uma linha de raciocínio semelhante à de técnicas de problemas de otimização e de programação inteira; • matrizes estocásticas, permitindo a modelação de comportamento defeituoso e de outros tipos de informação quantitativa de sistemas de software probabilisticamente; em particular, é introduzida a noção de contrato probabilístico em design de software. Tal aumento às capacidades do Alloy, fortalece a sua posição na área de métodos formais para design de software, em particular, a caminho de se tornar um método formal quantitativo. Esta dissertação explora a motivação e a importância subjacente à análise quantitativa, a partir do estudo e consolidação dos fundamentos teóricos através de abordagens categóricas de forma a conseguir suportar esse tipo de raciocínio em Alloy. Inicialmente, as ferramentas imprescindíveis para assegurar tal base são analisadas, passando de seguida ao planeamento e posterior implementação de tal extensão quantitativa do Alloy. Este projecto pretende promover a evolução dos métodos formais quantitativos através da concretização de abstracção quantitativa em Alloy, estendendo a sua base para suportar estes conceitos e assim implementá los no Alloy Analyzer