1,629 research outputs found
Cause Clue Clauses: Error Localization using Maximum Satisfiability
Much effort is spent everyday by programmers in trying to reduce long,
failing execution traces to the cause of the error. We present a new algorithm
for error cause localization based on a reduction to the maximal satisfiability
problem (MAX-SAT), which asks what is the maximum number of clauses of a
Boolean formula that can be simultaneously satisfied by an assignment. At an
intuitive level, our algorithm takes as input a program and a failing test, and
comprises the following three steps. First, using symbolic execution, we encode
a trace of a program as a Boolean trace formula which is satisfiable iff the
trace is feasible. Second, for a failing program execution (e.g., one that
violates an assertion or a post-condition), we construct an unsatisfiable
formula by taking the trace formula and additionally asserting that the input
is the failing test and that the assertion condition does hold at the end.
Third, using MAX-SAT, we find a maximal set of clauses in this formula that can
be satisfied together, and output the complement set as a potential cause of
the error. We have implemented our algorithm in a tool called bug-assist for C
programs. We demonstrate the surprising effectiveness of the tool on a set of
benchmark examples with injected faults, and show that in most cases,
bug-assist can quickly and precisely isolate the exact few lines of code whose
change eliminates the error. We also demonstrate how our algorithm can be
modified to automatically suggest fixes for common classes of errors such as
off-by-one.Comment: The pre-alpha version of the tool can be downloaded from
http://bugassist.mpi-sws.or
Fast counting with tensor networks
We introduce tensor network contraction algorithms for counting satisfying
assignments of constraint satisfaction problems (#CSPs). We represent each
arbitrary #CSP formula as a tensor network, whose full contraction yields the
number of satisfying assignments of that formula, and use graph theoretical
methods to determine favorable orders of contraction. We employ our heuristics
for the solution of #P-hard counting boolean satisfiability (#SAT) problems,
namely monotone #1-in-3SAT and #Cubic-Vertex-Cover, and find that they
outperform state-of-the-art solvers by a significant margin.Comment: v2: added results for monotone #1-in-3SAT; published versio
Bounded Satisfiability for PCTL
While model checking PCTL for Markov chains is decidable in polynomial-time,
the decidability of PCTL satisfiability, as well as its finite model property,
are long standing open problems. While general satisfiability is an intriguing
challenge from a purely theoretical point of view, we argue that general
solutions would not be of interest to practitioners: such solutions could be
too big to be implementable or even infinite. Inspired by bounded synthesis
techniques, we turn to the more applied problem of seeking models of a bounded
size: we restrict our search to implementable -- and therefore reasonably
simple -- models. We propose a procedure to decide whether or not a given PCTL
formula has an implementable model by reducing it to an SMT problem. We have
implemented our techniques and found that they can be applied to the practical
problem of sanity checking -- a procedure that allows a system designer to
check whether their formula has an unexpectedly small model
Applying Formal Methods to Networking: Theory, Techniques and Applications
Despite its great importance, modern network infrastructure is remarkable for
the lack of rigor in its engineering. The Internet which began as a research
experiment was never designed to handle the users and applications it hosts
today. The lack of formalization of the Internet architecture meant limited
abstractions and modularity, especially for the control and management planes,
thus requiring for every new need a new protocol built from scratch. This led
to an unwieldy ossified Internet architecture resistant to any attempts at
formal verification, and an Internet culture where expediency and pragmatism
are favored over formal correctness. Fortunately, recent work in the space of
clean slate Internet design---especially, the software defined networking (SDN)
paradigm---offers the Internet community another chance to develop the right
kind of architecture and abstractions. This has also led to a great resurgence
in interest of applying formal methods to specification, verification, and
synthesis of networking protocols and applications. In this paper, we present a
self-contained tutorial of the formidable amount of work that has been done in
formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial
Diagnose network failures via data-plane analysis
Diagnosing problems in networks is a time-consuming and error-prone process. Previous tools to assist operators primarily focus on analyzing control
plane configuration. Configuration analysis is limited in that it cannot find
bugs in router software, and is harder to generalize across protocols since it
must model complex configuration languages and dynamic protocol behavior.
This paper studies an alternate approach: diagnosing problems through
static analysis of the data plane. This approach can catch bugs that are
invisible at the level of configuration files, and simplifies unified analysis of a
network across many protocols and implementations. We present Anteater, a
tool for checking invariants in the data plane. Anteater translates high-level
network invariants into boolean satisfiability problems, checks them against
network state using a SAT solver, and reports counterexamples if violations
have been found. Applied to a large campus network, Anteater revealed 23
bugs, including forwarding loops and stale ACL rules, with only five false
positives. Nine of these faults are being fixed by campus network operators
Logic Locking based Trojans: A Friend Turns Foe
Logic locking and hardware Trojans are two fields in hardware security that
have been mostly developed independently from each other. In this paper, we
identify the relationship between these two fields. We find that a common
structure that exists in many logic locking techniques has desirable properties
of hardware Trojans (HWT). We then construct a novel type of HWT, called
Trojans based on Logic Locking (TroLL), in a way that can evade
state-of-the-art ATPG-based HWT detection techniques. In an effort to detect
TroLL, we propose customization of existing state-of-the-art ATPG-based HWT
detection approaches as well as adapting the SAT-based attacks on logic locking
to HWT detection. In our experiments, we use random sampling as reference. It
is shown that the customized ATPG-based approaches are the best performing but
only offer limited improvement over random sampling. Moreover, their efficacy
also diminishes as TroLL's triggers become longer, i.e., have more bits
specified). We thereby highlight the need to find a scalable HWT detection
approach for TroLL.Comment: 9 pages, double column, 8 figures, IEEE forma
A Survey of Symbolic Execution Techniques
Many security and software testing applications require checking whether
certain properties of a program hold for any possible usage scenario. For
instance, a tool for identifying software vulnerabilities may need to rule out
the existence of any backdoor to bypass a program's authentication. One
approach would be to test the program using different, possibly random inputs.
As the backdoor may only be hit for very specific program workloads, automated
exploration of the space of possible inputs is of the essence. Symbolic
execution provides an elegant solution to the problem, by systematically
exploring many possible execution paths at the same time without necessarily
requiring concrete inputs. Rather than taking on fully specified input values,
the technique abstractly represents them as symbols, resorting to constraint
solvers to construct actual instances that would cause property violations.
Symbolic execution has been incubated in dozens of tools developed over the
last four decades, leading to major practical breakthroughs in a number of
prominent software reliability applications. The goal of this survey is to
provide an overview of the main ideas, challenges, and solutions developed in
the area, distilling them for a broad audience.
The present survey has been accepted for publication at ACM Computing
Surveys. If you are considering citing this survey, we would appreciate if you
could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing
this survey, we would appreciate if you could use the following BibTeX entry:
http://goo.gl/Hf5Fv
- …