A Survey of Symbolic Execution Techniques

Many security and software testing applications require checking whether certain properties of a program hold for any possible usage scenario. For instance, a tool for identifying software vulnerabilities may need to rule out the existence of any backdoor to bypass a program's authentication. One approach would be to test the program using different, possibly random inputs. As the backdoor may only be hit for very specific program workloads, automated exploration of the space of possible inputs is of the essence. Symbolic execution provides an elegant solution to the problem, by systematically exploring many possible execution paths at the same time without necessarily requiring concrete inputs. Rather than taking on fully specified input values, the technique abstractly represents them as symbols, resorting to constraint solvers to construct actual instances that would cause property violations. Symbolic execution has been incubated in dozens of tools developed over the last four decades, leading to major practical breakthroughs in a number of prominent software reliability applications. The goal of this survey is to provide an overview of the main ideas, challenges, and solutions developed in the area, distilling them for a broad audience. The present survey has been accepted for publication at ACM Computing Surveys. If you are considering citing this survey, we would appreciate if you could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing this survey, we would appreciate if you could use the following BibTeX entry: http://goo.gl/Hf5Fv

A Survey of Satisfiability Modulo Theory

Satisfiability modulo theory (SMT) consists in testing the satisfiability of first-order formulas over linear integer or real arithmetic, or other theories. In this survey, we explain the combination of propositional satisfiability and decision procedures for conjunctions known as DPLL(T), and the alternative "natural domain" approaches. We also cover quantifiers, Craig interpolants, polynomial arithmetic, and how SMT solvers are used in automated software analysis.Comment: Computer Algebra in Scientific Computing, Sep 2016, Bucharest, Romania. 201

Generating and Searching Families of FFT Algorithms

A fundamental question of longstanding theoretical interest is to prove the lowest exact count of real additions and multiplications required to compute a power-of-two discrete Fourier transform (DFT). For 35 years the split-radix algorithm held the record by requiring just 4n log n - 6n + 8 arithmetic operations on real numbers for a size-n DFT, and was widely believed to be the best possible. Recent work by Van Buskirk et al. demonstrated improvements to the split-radix operation count by using multiplier coefficients or "twiddle factors" that are not n-th roots of unity for a size-n DFT. This paper presents a Boolean Satisfiability-based proof of the lowest operation count for certain classes of DFT algorithms. First, we present a novel way to choose new yet valid twiddle factors for the nodes in flowgraphs generated by common power-of-two fast Fourier transform algorithms, FFTs. With this new technique, we can generate a large family of FFTs realizable by a fixed flowgraph. This solution space of FFTs is cast as a Boolean Satisfiability problem, and a modern Satisfiability Modulo Theory solver is applied to search for FFTs requiring the fewest arithmetic operations. Surprisingly, we find that there are FFTs requiring fewer operations than the split-radix even when all twiddle factors are n-th roots of unity.Comment: Preprint submitted on March 28, 2011, to the Journal on Satisfiability, Boolean Modeling and Computatio

Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks

Deep neural networks have emerged as a widely used and effective means for tackling complex, real-world problems. However, a major obstacle in applying them to safety-critical systems is the great difficulty in providing formal guarantees about their behavior. We present a novel, scalable, and efficient technique for verifying properties of deep neural networks (or providing counter-examples). The technique is based on the simplex method, extended to handle the non-convex Rectified Linear Unit (ReLU) activation function, which is a crucial ingredient in many modern neural networks. The verification procedure tackles neural networks as a whole, without making any simplifying assumptions. We evaluated our technique on a prototype deep neural network implementation of the next-generation airborne collision avoidance system for unmanned aircraft (ACAS Xu). Results show that our technique can successfully prove properties of networks that are an order of magnitude larger than the largest networks verified using existing methods.Comment: This is the extended version of a paper with the same title that appeared at CAV 201

Solving resource-constrained shceuling problems with exact methods

Scheduling problems mainly consist in finding an assignment of execution times (a schedule) to a set of activities of a project that optimizes an objective function. There are many constraints imposed over the activities that any schedule must satisfy. The most usual constraints establish precedence relations between activities, or limit the amount of some resources that the activities can consume. There are many scheduling problems in the literature that have been and are currently still being studied. A paradigmatic example is the Resource-Constraint Project Scheduling Problem (RCPSP). It consists in finding a start time for each one of the activities of a project, respecting pre-defined precedence relations between activities and without exceeding the capacity of a set of resources that the activities consume. The goal is to find a schedule with the minimum makespan (total execution time of the project). The RCPSP has many generalizations, one of which is the Multimode Resource-Constrained Project Scheduling Problem (MRCPSP). In this variation, each activity has several available execution modes that differ in the duration of the activity or the demand of resources. A solution for the MRCPSP determines the start times of the activities and also an execution mode for each one. These problems are NP-hard, and are known in the literature to be especially hard, with moderately small instances of 50 activities that are still open. There are many approaches to solving RCPSP and MRCPSP in the literature. They are often tackled with metaheuristics due to their high complexity, but there are also some exact approaches, including Mixed Integer Linear Programming (MILP), Branch-and-Bound algorithms or Boolean Satisfiability (SAT), which have shown to be competitive and in many cases even better than metaheuristics. One of the exact methods that is growing in use in the field of constrained optimization is SAT Modulo Theories (SMT). This thesis is the continuation of previous works carried out in the Logic and Programming (L ∧ P) group of Universitat de Girona, which used SMT to tackle RCPSP and MRCPSP. Excluding these, there have not been any other attempts to use SMT to solve the MRCPSP. SMT solvers (like other generic methods such as SAT or MILP) do not know which is the problem they are dealing with. It is the work of the modeler to provide a representation of the problem (i.e. an encoding) in the language that the solver admits. The main goal of this thesis is to use SMT to solve the Multimode Resource-Constraint Project Scheduling Problem. We focus on two already existing encodings for the MRCPSP, namely the time encoding and the task encoding. We use some existing preprocessing methods that contribute to the formulation of time and task, and present new preprocessings. Most of them are based on the idea of incompatibility between two activities, i.e., the impossibility that two activities run at the same time instant. These incompatibilities let us discharge some con- figurations of the solutions prior to encode the problem. Consequently, the use of preprocessings helps to reduce the size of the encodings in terms of variables and clauses. Another contribution of this work is the study of the time and task encodings and the differences that they present. We refine these encodings to provide more compact versions. Moreover, two new versions of these encodings are presented, which mainly differ in the codification of the constraints over the use of resources. One of them is based on Linear Integer Arithmetic expressions, and the other one in Pseudo-Boolean constraints and Integer Difference Logic. Another contribution of this work is the presentation of an ad-hoc optimization algorithm based on a linear search that mainly consists in three steps. First of all it simplifies the problem to efficiently ensure or discharge the feasibility of the instance, then it finds a first non-optimal solution by using a quick heuristic method, and finally it optimizes the problem making use of the knowledge acquired with the preprocessings to boost the search. We also present an initial work on a more intrusive approach consisting in modifying the internal heuristic of the SMT solver for the decision of literals. This work involves the study of a state-of-the-art implementation of an SMT solver, and its modification to include a framework to specify heuristics related with the encoding of the problem. We give some initial results on custom heuristics for the time and task encodings of the MRCPSP. Finally, we test our system with the benchmark sets of instances for the MRCPSP available in the literature, and compare our performance with a state-of-the-art exact solver for the MRCPSP. The results show that we are able to solve the major part of the benchmark sets. Moreover, we show to be competitive with the state-of-the-art solver of Vílim et. al. for the MRCPSP, being our system slower in solving the easiest benchmark instances, but outperforming the solver of Vílim et. al. in solving the hardest instance

Enhancing the Compilation of Synchronous Dataflow Programs with a Combined Numerical-Boolean Abstraction

RR version = http://hal.inria.fr/hal-00780521/enInternational audienceIn this paper, we propose an enhancement of the compilation of synchronous programs with a combined numerical-Boolean abstraction. While our approach applies to synchronous dataflow languages in general, here, we consider the SIGNAL language for illustration. In the new abstraction, every signal in a program is associated with a pair of the form ( clock, value ), where clock is a Boolean function and value is a Boolean or numeric function. Given the performance level reached by recent progress in Satisfiability Modulo Theory (SMT), we use an SMT solver to reason on this abstraction. Through sample examples, we show how our solution is used to determine absence of reaction captured by empty clocks; mutual exclusion captured by two or more clocks whose associated signals never occur at the same time; or hierarchical control of component activations via clock inclusion. We also show that the analysis improves the quality of the code generated automatically by a compiler, e.g., a code with smaller footprint, or a code executed more efficiently thanks to optimizations enabled by the new abstraction. The implementation of the whole approach includes a translator of synchronous programs towards the standard input format of SMT solvers, and an ad hoc SMT solver that integrates advanced functionalities to cope with the issues of interest in this wor

Optimal Planning Modulo Theories

Planning for real-world applications requires algorithms and tools with the ability to handle the complexity such scenarios entail. However, meeting the needs of such applications poses substantial challenges, both representational and algorithmic. On the one hand, expressive languages are needed to build faithful models. On the other hand, efficient solving techniques that can support these languages need to be devised. A response to this challenge is underway, and the past few years witnessed a community effort towards more expressive languages, including decidable fragments of first-order theories. In this work we focus on planning with arithmetic theories and propose Optimal Planning Modulo Theories, a framework that attempts to provide efficient means of dealing with such problems. Leveraging generic Optimization Modulo Theories (OMT) solvers, we first present domain-specific encodings for optimal planning in complex logistic domains. We then present a more general, domain- independent formulation that allows to extend OMT planning to a broader class of well-studied numeric problems in planning. To the best of our knowledge, this is the first time OMT procedures are employed in domain-independent planning

A Comparative Study of Randomized Constraint Solvers for Random-Symbolic Testing

The complexity of constraints is a major obstacle for constraint-based software verification. Automatic constraint solvers are fundamentally incomplete: input constraints often build on some undecidable theory or some theory the solver does not support. This paper proposes and evaluates several randomized solvers to address this issue. We compare the effectiveness of a symbolic solver (CVC3), a random solver, three hybrid solvers (i.e., mix of random and symbolic), and two heuristic search solvers. We evaluate the solvers on two benchmarks: one consisting of manually generated constraints and another generated with a concolic execution of 8 subjects. In addition to fully decidable constraints, the benchmarks include constraints with non-linear integer arithmetic, integer modulo and division, bitwise arithmetic, and floating-point arithmetic. As expected symbolic solving (in particular, CVC3) subsumes the other solvers for the concolic execution of subjects that only generate decidable constraints. For the remaining subjects the solvers are complementary

Towards a quantitative alloy

Dissertação de mestrado integrado em Engenharia InformáticaWhen one comes across a new problem that needs to be solved, by abstracting from its associated details in a simple and concise way through the use of formal methods, one is able to better understand the matter at hand. Alloy (Jackson, 2012), a declarative specification language based on relational logic, is an example of an effective modelling tool, allowing high-level specification of potentially very complex systems. However, along with the irrelevant information, measurable data of the system is often lost in the abstraction as well, making it not as adequate for certain situations. The Alloy Analyzer represents the relations under analysis by Boolean matrices. By extending this type of structure to: • numeric matrices, over N0 , one is able to work with multirelations, i.e. relations whose arcs are weighted; each tuple is thus associated with a natural number, which allows reasoning in a similar fashion as in optimization problems and integer programming techniques; • left-Stochastic matrices, one is able to model faulty behaviour and other forms of quantitative information about software systems in a probabilistic way; in particular, this introduces the notion of a probabilistic contract in software design. Such an increase in Alloy’s capabilities strengthens its position in the area of formal methods for software design, in particular towards becoming a quantitative formal method. This dissertation explores the motivation and importance behind quantitative analysis by studying and establishing theoretical foundations through categorial approaches to accomplish such reasoning in Alloy. This starts by reviewing the required tools to support such groundwork and proceeds to the design and implementation of such a quantitative Alloy extension. This project aims to promote the evolution of quantitative formal methods by successfully achieving quantitative abstractions in Alloy, extending its support to these concepts and implementing them in the Alloy Analyzer.Quando se depara com um novo problema que precisa de ser resolvido, ao abstrair dos seus detalhes associados de forma simples e concisa recorrendo a métodos formais, é possível compreender melhor o assunto em questão. Alloy (Jackson, 2012), uma linguagem de especificação declarativa baseada em lógica relacional, é um exemplo de uma ferramenta de modelação eficaz, possibilitando especificações de alto-nível de sistemas potencialmente bastante complexos. Contudo, em conjunto com a informação irrelevante, os dados mensuráveis são muitas vezes também perdidos na abstração, tornando-a não tão adequada para certas situações. O Alloy Analyzer representa as relações sujeitas a análise através de matrizes Booleanas. Ao estender este tipo de estrutura para: • matrizes numéricas, em N0 , é possível lidar com multirelações, i.e., relações cujos arcos são pesados; cada tuplo é consequentemente associado a um número natural, o que proporciona uma linha de raciocínio semelhante à de técnicas de problemas de otimização e de programação inteira; • matrizes estocásticas, permitindo a modelação de comportamento defeituoso e de outros tipos de informação quantitativa de sistemas de software probabilisticamente; em particular, é introduzida a noção de contrato probabilístico em design de software. Tal aumento às capacidades do Alloy, fortalece a sua posição na área de métodos formais para design de software, em particular, a caminho de se tornar um método formal quantitativo. Esta dissertação explora a motivação e a importância subjacente à análise quantitativa, a partir do estudo e consolidação dos fundamentos teóricos através de abordagens categóricas de forma a conseguir suportar esse tipo de raciocínio em Alloy. Inicialmente, as ferramentas imprescindíveis para assegurar tal base são analisadas, passando de seguida ao planeamento e posterior implementação de tal extensão quantitativa do Alloy. Este projecto pretende promover a evolução dos métodos formais quantitativos através da concretização de abstracção quantitativa em Alloy, estendendo a sua base para suportar estes conceitos e assim implementá los no Alloy Analyzer