On Satisfiability Modulo Computable Functions

We present a semi-decision procedure for checking satisfiability of formulas in the language of algebraic data types and integer linear arithmetic extended with user-defined terminating recursive functions. Our procedure is designed to integrate into a DPLL(T) solver loop, using blocking clauses to control function definition unfolding. The procedure can check the faithfulness of candidate counterexamples using code execution. It is sound for proofs and counterexamples. Moreover, it is terminating and thus complete for many important classes of specifications: for satisfiable specifications, for specifications whose recursive functions are sufficiently surjective, and for functions annotated with inductive postconditions. We have implemented our system in Scala, building on top of the Z3 API and Z3's plugin mechanism. Our results show our approach to be superior in practice to the alternative of encoding recursive functions as quantified axioms. Using our system, we verified detailed correctness properties for functional data structure implementations, as well as Scala syntax tree manipulations. We have found our system to be fast for both finding counterexamples and finding proofs for inductively annotated specifications. Furthermore, it can quickly enumerate many test cases satisfying a given functional precondition, which can then be used to test both functional and imperative code. Thanks to our tool, many SMT solver clients, including verifiers and synthesizers, can benefit from the expressive power of recursive function definitions within formulas

Binary Disassembly Block Coverage by Symbolic Execution vs. Recursive Descent

This research determines how appropriate symbolic execution is (given its current implementation) for binary analysis by measuring how much of an executable symbolic execution allows an analyst to reason about. Using the S2E Selective Symbolic Execution Engine with a built-in constraint solver (KLEE), this research measures the effectiveness of S2E on a sample of 27 Debian Linux binaries as compared to a traditional static disassembly tool, IDA Pro. Disassembly code coverage and path exploration is used as a metric for determining success. This research also explores the effectiveness of symbolic execution on packed or obfuscated samples of the same binaries to generate a model-based evaluation of success for techniques commonly employed by malware. Obfuscated results were much higher than expected, which lead to the discovery that S2E was not actually handling the multiple executable memory regions present in unpacker runtime code. Three recommendations are made to address the shortcomings of S2E and allow it to process obfuscated samples correctly

Variational Satisfiability Solving

Over the last two decades, satisfiability and satisfiability-modulo theory (SAT/SMT) solvers have grown powerful enough to be general purpose reasoning engines throughout software engineering and computer science. However, most practical use cases of SAT/SMT solvers require not just solving a single SAT/SMT problem, but solving sets of related SAT/SMT problems. This discrepancy was directly addressed by the SAT/SMT community with the invention of incremental SAT/SMT solving. However, incremental SAT/SMT solvers require users to hand write a program which dictates the terms that are shared between problems and terms which are unique. By placing the onus on users, incremental solvers couple the users’ solution to the users’ exact sequence of SAT/SMT problems—making the solution overly specific—and require the user to write extra infrastructure to coordinate or handle the results. This dissertation argues that the aforementioned problems result from accidental complexity produced by solving a problem that is variational without the concept of variation, similar to problematic use of GOTO statements in the absence of WHILE loop constructs. To demonstrate the argument, this thesis applies theory from variational programming to the domain of SAT/SMT solvers to create the first variational SAT solver. To do so, the thesis formalizes a variational propositional logic and specifies variational SAT solving as a compiler; that compiles variational SAT problems to instructions for an industrial strength SAT solver

Proceedings of Formal Methods in Computer Aided Design, FMCAD 2010

Table of Contents: Copyright -- Conference Organization -- Tutorials -- Dimensions in Program Synthesis / by Sumit Gulwani, Microsoft (p. 1) -- Verifying VIA Nano Microprocessor Components / by Warren Hunt, Centaur Technology (p. 3) -- Session 1. Invited Talk -- Embedded Systems Design - Scientific Challenges and Work Directions / by Joseph Sifakis, Verimag (p. 11) -- Session 2. Industrial Track - Case Studies -- Formal Verification of an ASIC Ethernet Switch Block / by B.A. Krishna and Anamaya Sullerey, Chelsio Communications; and Alok Jain, Cadence Design Systems (p. 13) -- Formal Verification of Arbiters using Property Strengthening and Underapproximations / by Gadiel Auerbach and Fady Copty, IBM Haifa; and Viresh Paruthi, IBM Systems & Technology Group (p. 21) -- SAT-Based Semiformal Verification of Hardware / by Sabih Agbaria, Dan Carmi, Orly Cohen, Dmitry Korchemny, Michael Lifshits, and Alexander Nadel, Intel (p. 25) -- DFT Logic Verification through Property Based Formal Methods - SOC to IP / by Lopamudra Sen, Amit Roy, Supriya Bhattacharjee, and Bijitendra Mittra, Interra Systems India; and Subir K. Roy, Texas Instruments India (p. 33) -- Session 3. Software Verification -- SLAM2: Static Driver Verification with Under 4% False Alarms / by Thomas Ball, Ella Bounimova, Rahul Kumar, and Vladimir Levin, Microsoft (p. 35) -- Precise Static Analysis of Untrusted Driver Binaries / by Johannes Kinder, Technische Universität Darmstadt; and Helmut Veith, Technische Universität Wien (p. 43) -- Verifying SystemC: A Software Model Checking Approach / by Alessandro Cimatti, Andrea Micheli, Iman Narasamdya, and Marco Roveri, FBK-irst (p. 51) -- Session 4. Decision Procedures -- Coping with Moore’s Law (and More): Supporting Arrays in State-of-the-Art Model Checkers / by Jason Baumgartner, Michael Case, and Hari Mony, IBM Systems & Technology Group (p. 61) -- CalCS: SMT Solving for Non-Linear Convex Constraints / by Pierluigi Nuzzo, Alberto Puggelli, Sanjit A. Seshia, and Alberto Sangiovanni-Vincentelli, University of California Berkeley (p. 71) -- Integrating ICP and LRA Solvers for Deciding Nonlinear Real Arithmetic Problems / by Sicun Gao, NEC Labs America and Carnegie Mellon University; Malay Ganai, NEC Labs America; Franjo Ivančić, NEC Labs America; Aarti Gupta, NEC Labs America; Sriram Sankaranarayanan, University of Colorado at Boulder; and Edmund M. Clarke, Carnegie Mellon University (p. 81) -- Session 5. Synthesis -- A Halting Algorithm to Determine the Existence of Decoder / by Sheng Yu Shen, Ying Qin, JianMin Zhang, and SiKun Li, National University of Defense Technology (p. 91) -- Synthesis for Regular Specifications over Unbounded Domains / by Jad Hamza, ENS Cachan; Barbara Jobstmann, CNRS/Verimag; and Viktor Kuncak, EPFL (p. 101) -- Automatic Inference of Memory Fences / by Michael Kuperstein, Technion; Martin Vechev, IBM Research; and Eran Yahav, IBM Research & Technion (p. 111) -- Session 6. Industrial Track -- Applying SMT in Symbolic Execution of Microcode / by Anders Franzén, FBK-irst and DISI-University of Trento; Alessandro Cimatti, FBK-irst; Alexander Nadel, Intel Israel; Roberto Sebastiani, DISI-University of Trento; and Jonathan Shalev, Intel Israel (p. 121) -- Automated Formal Verification of Processors Based on Architectural Models / by Ulrich Kühne, ENS Cachan; Sven Beyer, OneSpin Solutions; Jörg Bormann, Abstract RT Solutions; and John Barstow, Infineon Technologies (p. 129) -- Encoding Industrial Hardware Verification Problems into Effectively Propositional Logic / by Moshe Emmer and Zurab Khasidashvili, Intel Israel; Konstantin Korovin and Andrei Voronkov, University of Manchester (p. 137) -- Session 7. Hardware and Protocol Verification -- Combinatorial Techniques for Sequential Equivalence Checking / by Hamid Savoj and David Berthelot, Envis Corporation; Alan Mishchenko and Robert Brayton, University of California Berkeley (p. 145) -- Automatic Verification of Estimate Functions with Polynomials of Bounded Functions / by Jun Sawada, IBM Austin (p. 151) -- A Framework for Incremental Modelling and Verification of On-Chip Protocols / by Peter Böhm, Oxford University (p. 159) -- Modular Specification and Verification of Interprocess Communication / by Eyad Alkassar, Saarland University; Ernie Cohen and Mark Hillebrand, European Microsoft Innovation Center; and Hristo Pentchev, Saarland University (p. 167) -- Session 8. Invited Talk -- Large-Scale Application of Formal Verification from Fiction to Fact / by Viresh Paruthi, IBM Systems & Technology Group (p. 175) -- Session 9. Abstraction -- A Single-Instance Incremental SAT Formulation of Proof- and Counterexample-Based Abstraction / by Niklas Een and Alan Mishchenko, University of California Berkeley; and Nina Amla, Cadence Research Laboratory (p. 181) -- Predicate Abstraction with Adjustable-Block Encoding / by Dirk Beyer and M. Erkan Keremoglu, Simon Fraser University; and Philipp Wendler, University of Passau (p. 189) -- Modular Bug Detection with Inertial Refinement / by Nishant Sinha, NEC Research Labs (p. 199) -- Path Predicate Abstraction by Complete Interval Property Checking / by Joakim Urdahl, Dominik Stoffel, Jörg Bormann, Markus Wedler, and Wolfgang Kunz, University of Kaiserslautern (p. 207) -- Session 10. SAT and QBF -- Relieving Capacity Limits on FPGA-Based SAT-Solvers / by Leopold Haller, Oxford University; and Satnam Singh, Microsoft Research (p. 217) -- Boosting Minimal Unsatisfiable Core Extraction / by Alexander Nadel, Intel Israel (p. 221) -- Propelling SAT and SAT-Based BMC using Careset / by Malay K. Ganai, NEC Laboratories America (p. 231) -- Efficiently Solving Quantified Bit-Vector Formulas / by Christoph M. Wintersteiger, ETH Zurich; Youssef Hamadi, Microsoft Research; and Leonardo de Moura, Microsoft Research (p. 239) -- Session 11. Verification of Concurrent Systems -- Boosting Multi-Core Reachability Performance with Shared Hash Tables / by Alfons Laarman, Jaco van de Pol, Michael Weber, University of Twente (p. 247) -- Incremental Component-Based Construction and Verification using Invariants / by Saddek Bensalem and Marius Bozga, Verimag Laboratory; Axel Legay, INRIA/IRISA; Thanh-Hung Nguyen, Joseph Sifakis, and Rongjie Yan, Verimag Laboratory (p. 257) -- Verifying Shadow Page Table Algorithms / by Eyad Alkassar, Saarland University; Ernie Cohen and Mark Hillebrand, European Microsoft Innovation Center; Mikhail Kovalev and Wolfgang J. Paul, Saarland University (p. 267) -- Exhibition -- Impacting Verification Closure Using Formal Analysis / by Massimo Roselli (p. 271) -- Scalable and Precise Program Analysis at NEC / by Gogul Balakrishnan, Malay K. Ganai, Aarti Gupta, Franjo Ivančić, Vineet Kahlon, Weihong Li, Naoto Maeda, Nadia Papakonstantinou, Sriram Sankaranarayanan (University of Colorado at Boulder), Nishant Sinha, and Chao Wang, NEC Laboratories America (p. 273) -- Achieving Earlier Verification Closure Using Advanced Formal Verification / by Michael Siegel, OneSpin Solutions (p. 275) -- PINCETTE - Validating Changes and Upgrades in Networked Software / by Hana Chockler, IBM Israel (p. 277) -- Author Index20-23 October, 2010 in Lugano, Switzerlandhttp://www.cs.utexas.edu/users/hunt/FMCAD/Computer Science

Proceedings of Formal Methods in Computer Aided Design, FMCAD 2010

Table of Contents: Copyright -- Conference Organization -- Tutorials -- Dimensions in Program Synthesis / by Sumit Gulwani, Microsoft (p. 1) -- Verifying VIA Nano Microprocessor Components / by Warren Hunt, Centaur Technology (p. 3) -- Session 1. Invited Talk -- Embedded Systems Design - Scientific Challenges and Work Directions / by Joseph Sifakis, Verimag (p. 11) -- Session 2. Industrial Track - Case Studies -- Formal Verification of an ASIC Ethernet Switch Block / by B.A. Krishna and Anamaya Sullerey, Chelsio Communications; and Alok Jain, Cadence Design Systems (p. 13) -- Formal Verification of Arbiters using Property Strengthening and Underapproximations / by Gadiel Auerbach and Fady Copty, IBM Haifa; and Viresh Paruthi, IBM Systems & Technology Group (p. 21) -- SAT-Based Semiformal Verification of Hardware / by Sabih Agbaria, Dan Carmi, Orly Cohen, Dmitry Korchemny, Michael Lifshits, and Alexander Nadel, Intel (p. 25) -- DFT Logic Verification through Property Based Formal Methods - SOC to IP / by Lopamudra Sen, Amit Roy, Supriya Bhattacharjee, and Bijitendra Mittra, Interra Systems India; and Subir K. Roy, Texas Instruments India (p. 33) -- Session 3. Software Verification -- SLAM2: Static Driver Verification with Under 4% False Alarms / by Thomas Ball, Ella Bounimova, Rahul Kumar, and Vladimir Levin, Microsoft (p. 35) -- Precise Static Analysis of Untrusted Driver Binaries / by Johannes Kinder, Technische Universität Darmstadt; and Helmut Veith, Technische Universität Wien (p. 43) -- Verifying SystemC: A Software Model Checking Approach / by Alessandro Cimatti, Andrea Micheli, Iman Narasamdya, and Marco Roveri, FBK-irst (p. 51) -- Session 4. Decision Procedures -- Coping with Moore’s Law (and More): Supporting Arrays in State-of-the-Art Model Checkers / by Jason Baumgartner, Michael Case, and Hari Mony, IBM Systems & Technology Group (p. 61) -- CalCS: SMT Solving for Non-Linear Convex Constraints / by Pierluigi Nuzzo, Alberto Puggelli, Sanjit A. Seshia, and Alberto Sangiovanni-Vincentelli, University of California Berkeley (p. 71) -- Integrating ICP and LRA Solvers for Deciding Nonlinear Real Arithmetic Problems / by Sicun Gao, NEC Labs America and Carnegie Mellon University; Malay Ganai, NEC Labs America; Franjo Ivančić, NEC Labs America; Aarti Gupta, NEC Labs America; Sriram Sankaranarayanan, University of Colorado at Boulder; and Edmund M. Clarke, Carnegie Mellon University (p. 81) -- Session 5. Synthesis -- A Halting Algorithm to Determine the Existence of Decoder / by Sheng Yu Shen, Ying Qin, JianMin Zhang, and SiKun Li, National University of Defense Technology (p. 91) -- Synthesis for Regular Specifications over Unbounded Domains / by Jad Hamza, ENS Cachan; Barbara Jobstmann, CNRS/Verimag; and Viktor Kuncak, EPFL (p. 101) -- Automatic Inference of Memory Fences / by Michael Kuperstein, Technion; Martin Vechev, IBM Research; and Eran Yahav, IBM Research & Technion (p. 111) -- Session 6. Industrial Track -- Applying SMT in Symbolic Execution of Microcode / by Anders Franzén, FBK-irst and DISI-University of Trento; Alessandro Cimatti, FBK-irst; Alexander Nadel, Intel Israel; Roberto Sebastiani, DISI-University of Trento; and Jonathan Shalev, Intel Israel (p. 121) -- Automated Formal Verification of Processors Based on Architectural Models / by Ulrich Kühne, ENS Cachan; Sven Beyer, OneSpin Solutions; Jörg Bormann, Abstract RT Solutions; and John Barstow, Infineon Technologies (p. 129) -- Encoding Industrial Hardware Verification Problems into Effectively Propositional Logic / by Moshe Emmer and Zurab Khasidashvili, Intel Israel; Konstantin Korovin and Andrei Voronkov, University of Manchester (p. 137) -- Session 7. Hardware and Protocol Verification -- Combinatorial Techniques for Sequential Equivalence Checking / by Hamid Savoj and David Berthelot, Envis Corporation; Alan Mishchenko and Robert Brayton, University of California Berkeley (p. 145) -- Automatic Verification of Estimate Functions with Polynomials of Bounded Functions / by Jun Sawada, IBM Austin (p. 151) -- A Framework for Incremental Modelling and Verification of On-Chip Protocols / by Peter Böhm, Oxford University (p. 159) -- Modular Specification and Verification of Interprocess Communication / by Eyad Alkassar, Saarland University; Ernie Cohen and Mark Hillebrand, European Microsoft Innovation Center; and Hristo Pentchev, Saarland University (p. 167) -- Session 8. Invited Talk -- Large-Scale Application of Formal Verification from Fiction to Fact / by Viresh Paruthi, IBM Systems & Technology Group (p. 175) -- Session 9. Abstraction -- A Single-Instance Incremental SAT Formulation of Proof- and Counterexample-Based Abstraction / by Niklas Een and Alan Mishchenko, University of California Berkeley; and Nina Amla, Cadence Research Laboratory (p. 181) -- Predicate Abstraction with Adjustable-Block Encoding / by Dirk Beyer and M. Erkan Keremoglu, Simon Fraser University; and Philipp Wendler, University of Passau (p. 189) -- Modular Bug Detection with Inertial Refinement / by Nishant Sinha, NEC Research Labs (p. 199) -- Path Predicate Abstraction by Complete Interval Property Checking / by Joakim Urdahl, Dominik Stoffel, Jörg Bormann, Markus Wedler, and Wolfgang Kunz, University of Kaiserslautern (p. 207) -- Session 10. SAT and QBF -- Relieving Capacity Limits on FPGA-Based SAT-Solvers / by Leopold Haller, Oxford University; and Satnam Singh, Microsoft Research (p. 217) -- Boosting Minimal Unsatisfiable Core Extraction / by Alexander Nadel, Intel Israel (p. 221) -- Propelling SAT and SAT-Based BMC using Careset / by Malay K. Ganai, NEC Laboratories America (p. 231) -- Efficiently Solving Quantified Bit-Vector Formulas / by Christoph M. Wintersteiger, ETH Zurich; Youssef Hamadi, Microsoft Research; and Leonardo de Moura, Microsoft Research (p. 239) -- Session 11. Verification of Concurrent Systems -- Boosting Multi-Core Reachability Performance with Shared Hash Tables / by Alfons Laarman, Jaco van de Pol, Michael Weber, University of Twente (p. 247) -- Incremental Component-Based Construction and Verification using Invariants / by Saddek Bensalem and Marius Bozga, Verimag Laboratory; Axel Legay, INRIA/IRISA; Thanh-Hung Nguyen, Joseph Sifakis, and Rongjie Yan, Verimag Laboratory (p. 257) -- Verifying Shadow Page Table Algorithms / by Eyad Alkassar, Saarland University; Ernie Cohen and Mark Hillebrand, European Microsoft Innovation Center; Mikhail Kovalev and Wolfgang J. Paul, Saarland University (p. 267) -- Exhibition -- Impacting Verification Closure Using Formal Analysis / by Massimo Roselli (p. 271) -- Scalable and Precise Program Analysis at NEC / by Gogul Balakrishnan, Malay K. Ganai, Aarti Gupta, Franjo Ivančić, Vineet Kahlon, Weihong Li, Naoto Maeda, Nadia Papakonstantinou, Sriram Sankaranarayanan (University of Colorado at Boulder), Nishant Sinha, and Chao Wang, NEC Laboratories America (p. 273) -- Achieving Earlier Verification Closure Using Advanced Formal Verification / by Michael Siegel, OneSpin Solutions (p. 275) -- PINCETTE - Validating Changes and Upgrades in Networked Software / by Hana Chockler, IBM Israel (p. 277) -- Author Index20-23 October, 2010 in Lugano, Switzerlandhttp://www.cs.utexas.edu/users/hunt/FMCAD/Computer Science