1,197 research outputs found
A Survey of Symbolic Execution Techniques
Many security and software testing applications require checking whether
certain properties of a program hold for any possible usage scenario. For
instance, a tool for identifying software vulnerabilities may need to rule out
the existence of any backdoor to bypass a program's authentication. One
approach would be to test the program using different, possibly random inputs.
As the backdoor may only be hit for very specific program workloads, automated
exploration of the space of possible inputs is of the essence. Symbolic
execution provides an elegant solution to the problem, by systematically
exploring many possible execution paths at the same time without necessarily
requiring concrete inputs. Rather than taking on fully specified input values,
the technique abstractly represents them as symbols, resorting to constraint
solvers to construct actual instances that would cause property violations.
Symbolic execution has been incubated in dozens of tools developed over the
last four decades, leading to major practical breakthroughs in a number of
prominent software reliability applications. The goal of this survey is to
provide an overview of the main ideas, challenges, and solutions developed in
the area, distilling them for a broad audience.
The present survey has been accepted for publication at ACM Computing
Surveys. If you are considering citing this survey, we would appreciate if you
could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing
this survey, we would appreciate if you could use the following BibTeX entry:
http://goo.gl/Hf5Fv
A Unified View of Piecewise Linear Neural Network Verification
The success of Deep Learning and its potential use in many safety-critical
applications has motivated research on formal verification of Neural Network
(NN) models. Despite the reputation of learned NN models to behave as black
boxes and the theoretical hardness of proving their properties, researchers
have been successful in verifying some classes of models by exploiting their
piecewise linear structure and taking insights from formal methods such as
Satisifiability Modulo Theory. These methods are however still far from scaling
to realistic neural networks. To facilitate progress on this crucial area, we
make two key contributions. First, we present a unified framework that
encompasses previous methods. This analysis results in the identification of
new methods that combine the strengths of multiple existing approaches,
accomplishing a speedup of two orders of magnitude compared to the previous
state of the art. Second, we propose a new data set of benchmarks which
includes a collection of previously released testcases. We use the benchmark to
provide the first experimental comparison of existing algorithms and identify
the factors impacting the hardness of verification problems.Comment: Updated version of "Piecewise Linear Neural Network verification: A
comparative study
Efficient First-Order Temporal Logic for Infinite-State Systems
In this paper we consider the specification and verification of
infinite-state systems using temporal logic. In particular, we describe
parameterised systems using a new variety of first-order temporal logic that is
both powerful enough for this form of specification and tractable enough for
practical deductive verification. Importantly, the power of the temporal
language allows us to describe (and verify) asynchronous systems, communication
delays and more complex properties such as liveness and fairness properties.
These aspects appear difficult for many other approaches to infinite-state
verification.Comment: 16 pages, 2 figure
Backward Reachability of Array-based Systems by SMT solving: Termination and Invariant Synthesis
The safety of infinite state systems can be checked by a backward
reachability procedure. For certain classes of systems, it is possible to prove
the termination of the procedure and hence conclude the decidability of the
safety problem. Although backward reachability is property-directed, it can
unnecessarily explore (large) portions of the state space of a system which are
not required to verify the safety property under consideration. To avoid this,
invariants can be used to dramatically prune the search space. Indeed, the
problem is to guess such appropriate invariants. In this paper, we present a
fully declarative and symbolic approach to the mechanization of backward
reachability of infinite state systems manipulating arrays by Satisfiability
Modulo Theories solving. Theories are used to specify the topology and the data
manipulated by the system. We identify sufficient conditions on the theories to
ensure the termination of backward reachability and we show the completeness of
a method for invariant synthesis (obtained as the dual of backward
reachability), again, under suitable hypotheses on the theories. We also
present a pragmatic approach to interleave invariant synthesis and backward
reachability so that a fix-point for the set of backward reachable states is
more easily obtained. Finally, we discuss heuristics that allow us to derive an
implementation of the techniques in the model checker MCMT, showing remarkable
speed-ups on a significant set of safety problems extracted from a variety of
sources.Comment: Accepted for publication in Logical Methods in Computer Scienc
- …