Bounded Model Checking of Industrial Code

Abstract: Bounded Model Checking(BMC) is an effective and precise static analysis technique that reduces program verification to satisfiability (SAT) solving. However, with a few exceptions, BMC is not actively used in software industry, especially, when compared to dynamic analysis techniques such as fuzzing, or light-weight formal static analysis. This thesis describes our experience of applying BMC to industrial code using a novel BMC tool SEABMC. We present three contributions: First, a case study of (re)verifying the aws-c-common library from AWS using SEABMC and KLEE. This study explores the methodology from the perspective of three research questions: (a) can proof artifacts be used across verification tools; (b) are there bugs in verified code; and (c) can specifications be improved. To study these questions, we port the verification tasks for aws-c-common library to SEAHORN and KLEE. We show the benefits of using compiler semantics and cross-checking specifications with different verification techniques, and call for standardizing proof library extensions to increase specification reuse. Second, a description of SEABMC - a novel BMC engine for SEAHORN. We start with a custom IR (called SEA-IR) that explicitly purifies all memory operations by explicating dependencies between them. We then run program transformations and allow for generating many different styles of verification conditions. To support memory safety checking, we extend our base approach with fat pointers and shadow bits of memory to keep track of metadata, such as the size of a pointed-to object. To evaluate SEABMC, we use the aws-c-common library from AWS as a benchmark and compare with CBMC, SMACK, and KLEE. We show that SEABMC is capable of providing an order of magnitude improvement compared with state-of-the-art. Third, a case study of extending SEABMC to work with Rust - a young systems programming language. We ask three research questions: (a) can SEABMC be used to verify Rust programs easily; (b) can the specification style of aws-c-common be applied successfully to Rust programs; and (c) can verification become more efficient when using higher level language information. We answer these questions by verifying aspects of the Rust standard library using SEAURCHIN, an extension of SEABMC for Rust