9 research outputs found
Enhancing Approximations for Regular Reachability Analysis
This paper introduces two mechanisms for computing over-approximations of
sets of reachable states, with the aim of ensuring termination of state-space
exploration. The first mechanism consists in over-approximating the automata
representing reachable sets by merging some of their states with respect to
simple syntactic criteria, or a combination of such criteria. The second
approximation mechanism consists in manipulating an auxiliary automaton when
applying a transducer representing the transition relation to an automaton
encoding the initial states. In addition, for the second mechanism we propose a
new approach to refine the approximations depending on a property of interest.
The proposals are evaluated on examples of mutual exclusion protocols
Quadratic Word Equations with Length Constraints, Counter Systems, and Presburger Arithmetic with Divisibility
Word equations are a crucial element in the theoretical foundation of
constraint solving over strings, which have received a lot of attention in
recent years. A word equation relates two words over string variables and
constants. Its solution amounts to a function mapping variables to constant
strings that equate the left and right hand sides of the equation. While the
problem of solving word equations is decidable, the decidability of the problem
of solving a word equation with a length constraint (i.e., a constraint
relating the lengths of words in the word equation) has remained a
long-standing open problem. In this paper, we focus on the subclass of
quadratic word equations, i.e., in which each variable occurs at most twice. We
first show that the length abstractions of solutions to quadratic word
equations are in general not Presburger-definable. We then describe a class of
counter systems with Presburger transition relations which capture the length
abstraction of a quadratic word equation with regular constraints. We provide
an encoding of the effect of a simple loop of the counter systems in the theory
of existential Presburger Arithmetic with divisibility (PAD). Since PAD is
decidable, we get a decision procedure for quadratic words equations with
length constraints for which the associated counter system is \emph{flat}
(i.e., all nodes belong to at most one cycle). We show a decidability result
(in fact, also an NP algorithm with a PAD oracle) for a recently proposed
NP-complete fragment of word equations called regular-oriented word equations,
together with length constraints. Decidability holds when the constraints are
additionally extended with regular constraints with a 1-weak control structure.Comment: 18 page
Automata-based Model Counting String Constraint Solver for Vulnerability Analysis
Most common vulnerabilities in modern software applications are due to errors in string manipulation code. String constraint solvers are essential components of program analysis techniques for detecting and repairing vulnerabilities that are due to string manipulation errors. In this dissertation, we present an automata-based string constraint solver for vulnerability analysis of string manipulating programs.Given a string constraint, we generate an automaton that accepts all solutions that satisfy the constraint. Our string constraint solver can also map linear arithmetic constraints to automata in order to handle constraints on string lengths. By integrating our string constraint solver to a symbolic execution tool, we can check for string manipulation errors in programs. Recently, quantitative and probabilistic program analyses techniques have been proposed which require counting the number of solutions to string constraints. We extend our string constraint solver with model counting capability based on the observation that, using an automata-based constraint representation, model counting reduces to path counting, which can be solved precisely. Our approach is parameterized in the sense that, we do notassume a finite domain size during automata construction, resulting in a potentially infinite set of solutions, and our model counting approach works for arbitrarily large bounds.We have implemented our approach in a tool called ABC (Automata-Based model Counter) using a constraint language that is compatible with the SMTLIB language specification used by satifiabilty-modula-theories solvers. This SMTLIB interface facilitates integration of our constraint solver with existing symbolic execution tools. We demonstrate the effectiveness of ABC on a large set of string constraints extracted from real-world web applications.We also present automata-based testing techniques for string manipulating programs. A vulnerability signature is a characterization of all user inputs that can be used to exploit a vulnerability. Automata-based static string analysis techniques allow automated computation of vulnerability signatures represented as automata. Given a vulnerability signature represented as an automaton, we present algorithms for test case generation based on state, transition, and path coverage. These automaticallygenerated test cases can be used to test applications that are not analyzable statically, and to discover attack strings that demonstrate how the vulnerabilities can be exploited. We experimentally comparedifferent coverage criteria and demonstrate the effectiveness of our test generation approach
Relational string verification using multi-track automata
Abstract. Verification of string manipulation operations is a crucial problem in computer security. In this paper, we present a new relational string verification technique based on multi-track automata. Our approach is capable of verifying properties that depend on relations among string variables. This enables us to prove that vulnerabilities that result from improper string manipulation do not exist in a given program. Our main contributions in this paper can be summarized as follows: (1) We formally characterize the string verification problem as the reachability analysis of string systems and show decidability/undecidability results for several string analysis problems. (2) We develop a sound symbolic analysis technique for string verification that over-approximates the reachable states of a given string system using multi-track automata and summarization. (3) We evaluate the presented techniques with respect to several string analysis benchmarks extracted from real web applications.